-
Notifications
You must be signed in to change notification settings - Fork 6
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add Cloud Build config to copy WithSecure sig from Github to GCS.
- Loading branch information
Showing
1 changed file
with
34 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,34 @@ | ||
# This Cloud Build trigger copies the WithSecure signature for a certain | ||
# Trusted OS release version to the bucket (and "subdir") that contains the | ||
# Trusted OS as built by transparency.dev and the detached signature as signed | ||
# by transparency.dev. | ||
# | ||
# WithSecure is expected to overwrite the _WITHSECURE_SIG_FILE and | ||
# _RELEASE_VERSION_FILE for each release. Reading _RELEASE_VERSION_FILE allows | ||
# Cloud Build to copy the signature to the proper "subdir" (as mentioned | ||
# above). | ||
# | ||
# This is the second Cloud Build trigger for a given release. The first should | ||
# have already created the Trusted OS elf file and the transparency.dev | ||
# detached signature. | ||
# | ||
# The Trusted OS elf should only be used if both signatures are verified | ||
# sucessfully. | ||
steps: | ||
# Read the release version for which the WithSecure signature is. Cloud Build | ||
# does not allow dynamically setting env vars, so writing to a file as a | ||
# workaround: | ||
# https://stackoverflow.com/questions/52337831/how-do-i-set-an-environment-or-substitution-variable-via-a-step-in-google-cloud. | ||
- name: ubuntu | ||
args: ['bash', '-c', 'cat ${_WITHSECURE_DIR}/${_RELEASE_VERSION_FILE} > _RELEASE_VERSION'] | ||
# Copy the WithSecure signature to the bucket. | ||
- name: gcr.io/cloud-builders/gcloud | ||
entrypoint: sh | ||
args: | ||
- -c | ||
- 'gcloud storage cp ${_WITHSECURE_DIR}/${_WITHSECURE_SIG_FILE} gs://${_TRUSTED_OS_BUCKET}/$(cat _RELEASE_VERSION)/trusted_os_withsecure.sig' | ||
substitutions: | ||
_TRUSTED_OS_BUCKET: trusted-os-artifacts-ci | ||
_WITHSECURE_DIR: release/withsecure | ||
_WITHSECURE_SIG_FILE: trusted_os.sig | ||
_RELEASE_VERSION_FILE: release_version.txt |