Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add signing to utils script #58

Merged
merged 4 commits into from
Sep 4, 2024
Merged

Add signing to utils script #58

Changes from 1 commit
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
ef9f404
Add signing to utils script
alextserepov Sep 2, 2024
f5c4d99
Improve signing utils
henrirosten Sep 3, 2024
3d85d00
Sign with INT-Ghaf-Devenv-Common certificate
henrirosten Sep 4, 2024
c15e01e
Don't fail the build if signing fails
henrirosten Sep 4, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
35 changes: 35 additions & 0 deletions utils.groovy
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -63,6 +63,8 @@ def nix_build(String flakeref, String subdir=null) {
epoch_seconds = (int) (new Date().getTime() / 1000l)
env."BEG_${flakeref_trimmed}_${env.BUILD_TAG}" = epoch_seconds
sh "nix build ${flakeref} ${opts}"
// Sign the build result
sign_relpath(flakeref, subdir)
henrirosten marked this conversation as resolved.
Show resolved Hide resolved
// Store the build end time to job's environment
epoch_seconds = (int) (new Date().getTime() / 1000l)
env."END_${flakeref_trimmed}_${env.BUILD_TAG}" = epoch_seconds
Expand Down Expand Up @@ -106,6 +108,12 @@ def provenance(String flakeref, String outdir, String flakeref_trimmed) {
"""
opts = "--recursive --out ${outdir}/provenance.json"
sh "provenance ${flakeref} ${opts}"
// Sign the provenance
path="${outdir}/provenance.json"
cert="INT-lenovo-x1-carbon-gen11-debug-x86-64-linux"
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As you wrote, we should not hardcode this.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Absolutely. This will be replaced with target handling in later versions. For now we have to hardcode. Though, if you prefer it this way, I'm fine implementing target selector within the scope of this PR.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would go with more complete implementation already now, unless there's a good reason not to. I'm not sure how you are planning to do this, but if takes days or more then maybe go with this temporary version first.

Copy link
Collaborator

@henrirosten henrirosten Sep 3, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is pending @alextserepov, I guess the main options now are:

  • For this first version, we just sign everything with "INT-lenovo-x1-carbon-gen11-debug-x86-64-linux" (which is what it now does).
  • For now, we introduce a new common certificate e.g. "INT-common" (just an example), and change this PR so that everything would be signed with that new 'common' certificate.
  • We introduce certificates for all targets we are planning to build for the next Ghaf release, and use a separate certificate for each target. At this point, it's still unclear (to me at least) what are the exact targets we are going to build for the Ghaf release, and thus, what would be all the certificates we would have to make available in the Azure certificate storage.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Discussed with @alextserepov that we would go with above option (2) initially, see commit 3d85d00.

The new common certificate still needs to be properly setup in Azure certificate storage, so we can't merge this yet.

sigfile="${path}.sig"
sign_file(path, cert, sigfile)
henrirosten marked this conversation as resolved.
Show resolved Hide resolved

}

def sbomnix(String tool, String flakeref) {
Expand Down Expand Up @@ -146,6 +154,33 @@ def find_img_relpath(String flakeref, String subdir) {
return img_relpath
}

def sign_file(String path, String cert, String sigfile) {
println "sign_file: ${path} ### ${cert} ### ${sigfile}"
res = sh(
script: """
nix run github:tiiuae/ci-yubi#sign -- --path=${path} --cert=${cert} --sigfile=${sigfile}
henrirosten marked this conversation as resolved.
Show resolved Hide resolved
""", returnStdout: true).trim()
return res
henrirosten marked this conversation as resolved.
Show resolved Hide resolved
}

def verify_signature(String path, String cert, String sigfile) {
println "verify_signature: ${path} ### ${cert} ### ${sigfile}"
res = sh(
script: """
nix run github:tiiuae/ci-yubi#verify -- --path=${path} --cert=${cert} --sigfile=${sigfile}
""", returnStdout: true).trim()
return res
henrirosten marked this conversation as resolved.
Show resolved Hide resolved
}

def sign_relpath(String flakeref, String subdir) {
relpath = "$subdir/${find_img_relpath(flakeref, subdir)}"
signame = "${subdir}/${flakeref_trim(flakeref)}.sig"
println "sign_relpath: signame: ${signame}"
res = sign_file(relpath, "INT-lenovo-x1-carbon-gen11-debug-x86-64-linux", signame)
tst = verify_signature(relpath, "INT-lenovo-x1-carbon-gen11-debug-x86-64-linux", signame)
return res
}
henrirosten marked this conversation as resolved.
Show resolved Hide resolved

def ghaf_hw_test(String flakeref, String device_config, String jenkins_url, String testset='_boot_') {
testagent_nodes = nodesByLabel(label: 'testagent', offline: false)
if (!testagent_nodes) {
Expand Down
Loading