Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add Cloud Build config to copy WithSecure sig from Github to GCS. #57

Merged
merged 2 commits into from
Sep 18, 2023
Merged
Changes from 1 commit
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
41 changes: 41 additions & 0 deletions release/cloudbuild_withsecure_signature.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,41 @@
# This Cloud Build trigger copies the WithSecure signature for a certain
# Trusted OS release version to the bucket (and "subdir") that contains the
# Trusted OS as built by transparency.dev and the detached signature as signed
# by transparency.dev.
#
# This is the second Cloud Build trigger for a given release. The first should
# have already created the Trusted OS elf file and the transparency.dev
# detached signature.
#
# The Trusted OS elf should only be used if both signatures are verified
# successfully.
#
#### WithSecure Expectations ####
#
# WithSecure is expected to overwrite the _WITHSECURE_SIG_FILE and
jiggoha marked this conversation as resolved.
Show resolved Hide resolved
# _RELEASE_VERSION_FILE in the Github repo for each release. Cloud Build then
# reads the _RELEASE_VERSION_FILE here, allowing it copy the signature to the
# proper "subdir" (as mentioned above).
#
# The last piece of config which must be coordinated with WithSecure is how
# this config gets triggered (and is captured in the GCP project rather than
# this file). This file will be configured to run when the repo is tagged with
# `withsecure_signature`.
steps:
# Read the release version for which the WithSecure signature is. Cloud Build
# does not allow dynamically setting env vars, so writing to a file as a
# workaround:
# https://stackoverflow.com/questions/52337831/how-do-i-set-an-environment-or-substitution-variable-via-a-step-in-google-cloud.
- name: ubuntu
args: ['bash', '-c', 'cat ${_WITHSECURE_DIR}/${_RELEASE_VERSION_FILE} > _RELEASE_VERSION']
# Copy the WithSecure signature to the bucket.
- name: gcr.io/cloud-builders/gcloud
entrypoint: sh
args:
- -c
- 'gcloud storage cp ${_WITHSECURE_DIR}/${_WITHSECURE_SIG_FILE} gs://${_TRUSTED_OS_BUCKET}/$(cat _RELEASE_VERSION)/trusted_os_withsecure.sig'
substitutions:
_TRUSTED_OS_BUCKET: trusted-os-artifacts-ci
jiggoha marked this conversation as resolved.
Show resolved Hide resolved
_WITHSECURE_DIR: release/withsecure
_WITHSECURE_SIG_FILE: trusted_os.sig
_RELEASE_VERSION_FILE: release_version.txt