Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add signing to utils script #58

Merged
merged 4 commits into from
Sep 4, 2024
Merged

Add signing to utils script #58

Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
ef9f404
Add signing to utils script
alextserepov Sep 2, 2024
f5c4d99
Improve signing utils
henrirosten Sep 3, 2024
3d85d00
Sign with INT-Ghaf-Devenv-Common certificate
henrirosten Sep 4, 2024
c15e01e
Don't fail the build if signing fails
henrirosten Sep 4, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
36 changes: 32 additions & 4 deletions utils.groovy
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -63,6 +63,17 @@ def nix_build(String flakeref, String subdir=null) {
epoch_seconds = (int) (new Date().getTime() / 1000l)
env."BEG_${flakeref_trimmed}_${env.BUILD_TAG}" = epoch_seconds
sh "nix build ${flakeref} ${opts}"
// If the build result is an image, produce a signature file
img_relpath = subdir ? find_img_relpath(flakeref, subdir, abort_on_error='false') : ""
if (img_relpath) {
target_path = "${subdir}/${img_relpath}"
sig_path = "sig/${img_relpath}.sig"
sign_file(target_path, sig_path)
// Archive signature file alongside the target image
archive_artifacts("sig")
} else {
println "Build result is not an image, skipping image signing"
}
// Store the build end time to job's environment
epoch_seconds = (int) (new Date().getTime() / 1000l)
env."END_${flakeref_trimmed}_${env.BUILD_TAG}" = epoch_seconds
Expand Down Expand Up @@ -106,6 +117,9 @@ def provenance(String flakeref, String outdir, String flakeref_trimmed) {
"""
opts = "--recursive --out ${outdir}/provenance.json"
sh "provenance ${flakeref} ${opts}"
// Sign the provenance
target_path = "${outdir}/provenance.json"
sign_file(target_path, "${target_path}.sig")
}

def sbomnix(String tool, String flakeref) {
Expand All @@ -129,23 +143,37 @@ def sbomnix(String tool, String flakeref) {
archive_artifacts("scs")
}

def find_img_relpath(String flakeref, String subdir) {
def find_img_relpath(String flakeref, String subdir, String abort_on_error="true") {
flakeref_trimmed = "${flakeref_trim(flakeref)}"
img_relpath = sh(
script: """
cd ${subdir} && \
find -L ${flakeref_trimmed} -regex '.*\\.\\(img\\|raw\\|zst\\|iso\\)\$' -print -quit
""", returnStdout: true).trim()
if (!img_relpath) {
// Error out stopping the pipeline execution if image was not found
println "Error: no image found from '${subdir}/${flakeref_trimmed}'"
sh "exit 1"
println "Warning: no image found from '${subdir}/${flakeref_trimmed}'"
// Error out stopping the pipeline execution if abort_on_error was set
sh "if [ '${abort_on_error}' = 'true' ]; then exit 1; fi"
} else {
println "Found flakeref '${flakeref}' image '${img_relpath}'"
}
return img_relpath
}

def sign_file(String path, String sigfile, String cert="INT-Ghaf-Devenv-Common") {
println "sign_file: ${path} ### ${cert} ### ${sigfile}"
try {
sh(
// See the 'sign' command at: https://github.com/tiiuae/ci-yubi
script: """
mkdir -p \$(dirname '${sigfile}') || true
sign --path=${path} --cert=${cert} --sigfile=${sigfile}
""", returnStdout: true).trim()
} catch (Exception e) {
println "Warning: signing failed: sigfile will not be generated for: ${path}"
}
}

def ghaf_hw_test(String flakeref, String device_config, String jenkins_url, String testset='_boot_') {
testagent_nodes = nodesByLabel(label: 'testagent', offline: false)
if (!testagent_nodes) {
Expand Down
Loading