-
Notifications
You must be signed in to change notification settings - Fork 6
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add Cloud Build config to copy WithSecure sig from Github to GCS.
- Loading branch information
Showing
1 changed file
with
41 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,41 @@ | ||
| # This Cloud Build trigger copies the WithSecure signature for a certain | ||
| # Trusted OS release version to the bucket (and "subdir") that contains the | ||
| # Trusted OS as built by transparency.dev and the detached signature as signed | ||
| # by transparency.dev. | ||
| # | ||
| # This is the second Cloud Build trigger for a given release. The first should | ||
| # have already created the Trusted OS elf file and the transparency.dev | ||
| # detached signature. | ||
| # | ||
| # The Trusted OS elf should only be used if both signatures are verified | ||
| # sucessfully. | ||
| # | ||
| ### WithSecure Expectations #### | ||
| # | ||
| # WithSecure is expected to overwrite the _WITHSECURE_SIG_FILE and | ||
| # _RELEASE_VERSION_FILE in the Github repo for each release. Cloud Build then | ||
| # reads the _RELEASE_VERSION_FILE here, allowing it copy the signature to the | ||
| # proper "subdir" (as mentioned above). | ||
| # | ||
| # The last piece of config which must be coordinated with WithSecure is how | ||
| # this config gets triggered (and is captured in the GCP project rather than | ||
| # this file). This file will be configured to run when the repo is tagged with | ||
| # `withsecure_signature`. | ||
| steps: | ||
| # Read the release version for which the WithSecure signature is. Cloud Build | ||
| # does not allow dynamically setting env vars, so writing to a file as a | ||
| # workaround: | ||
| # https://stackoverflow.com/questions/52337831/how-do-i-set-an-environment-or-substitution-variable-via-a-step-in-google-cloud. | ||
| - name: ubuntu | ||
| args: ['bash', '-c', 'cat ${_WITHSECURE_DIR}/${_RELEASE_VERSION_FILE} > _RELEASE_VERSION'] | ||
| # Copy the WithSecure signature to the bucket. | ||
| - name: gcr.io/cloud-builders/gcloud | ||
| entrypoint: sh | ||
| args: | ||
| - -c | ||
| - 'gcloud storage cp ${_WITHSECURE_DIR}/${_WITHSECURE_SIG_FILE} gs://${_TRUSTED_OS_BUCKET}/$(cat _RELEASE_VERSION)/trusted_os_withsecure.sig' | ||
| substitutions: | ||
| _TRUSTED_OS_BUCKET: trusted-os-artifacts-ci | ||
| _WITHSECURE_DIR: release/withsecure | ||
| _WITHSECURE_SIG_FILE: trusted_os.sig | ||
| _RELEASE_VERSION_FILE: release_version.txt |