Skip to content

Commit

Permalink
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
hw-test: Re-enable image signature verification
Browse files Browse the repository at this point in the history
Signed-off-by: Henri Rosten <henri.rosten@unikie.com>
henrirosten committed Sep 25, 2024
1 parent b25cc63 commit 13e5d2b
Showing 2 changed files with 10 additions and 0 deletions.
6 changes: 6 additions & 0 deletions ghaf-hw-test.groovy
Original file line number Diff line number Diff line change
@@ -8,6 +8,7 @@
def REPO_URL = 'https://github.com/tiiuae/ci-test-automation/'
def DEF_LABEL = 'testagent'
def TMP_IMG_DIR = 'image'
def TMP_SIG_DIR = 'signature'
def CONF_FILE_PATH = '/etc/jenkins/test_config.json'

////////////////////////////////////////////////////////////////////////////////
@@ -160,6 +161,11 @@ pipeline {
"""
img_relpath = run_cmd("find ${TMP_IMG_DIR} -type f -print -quit | grep .")
println "Downloaded image to workspace: ${img_relpath}"
// Verify signature using the tooling from: https://github.com/tiiuae/ci-yubi
sh "wget -nv -P ${TMP_SIG_DIR} ${params.IMG_URL}.sig"
sig_relpath = run_cmd("find ${TMP_SIG_DIR} -type f -print -quit | grep .")
println "Downloaded signature to workspace: ${sig_relpath}"
sh "nix run github:tiiuae/ci-yubi/bdb2dbf#verify -- --path ${img_relpath} --sigfile ${sig_relpath}"
// Uncompress, keeping only the decompressed image file
if(img_relpath.endsWith("zst")) {
sh "zstd -dfv ${img_relpath} && rm ${img_relpath}"
4 changes: 4 additions & 0 deletions tests/x-ghaf-hw-test.groovy
Original file line number Diff line number Diff line change
@@ -165,6 +165,10 @@ pipeline {
// env.IMG_WGET stores the path to image as downloaded from the remote
env.IMG_WGET = run_wget(params.IMG_URL, TMP_IMG_DIR)
println "Downloaded image to workspace: ${env.IMG_WGET}"
// Verify signature using the tooling from: https://github.com/tiiuae/ci-yubi
sig_path = run_wget("${params.IMG_URL}.sig", TMP_IMG_DIR)
println "Downloaded signature to workspace: ${sig_path}"
sh "nix run github:tiiuae/ci-yubi/bdb2dbf#verify -- --path ${env.IMG_WGET} --sigfile ${sig_path}"
// Uncompress
if(env.IMG_WGET.endsWith(".zst")) {
sh "zstd -dfv ${env.IMG_WGET}"

0 comments on commit 13e5d2b

Please sign in to comment.