Split signing certs for image and provenance

Signed-off-by: Aleksandr Tserepov-Savolainen <[email protected]>
tiiuae · Nov 7, 2024 · 217d9a1 · 217d9a1
1 parent addcdb8
commit 217d9a1
Show file tree

Hide file tree

Showing 4 changed files with 5 additions and 5 deletions.
diff --git a/ghaf-hw-test.groovy b/ghaf-hw-test.groovy
@@ -169,7 +169,7 @@ pipeline {
           sh "wget -nv -P ${TMP_SIG_DIR} ${params.IMG_URL}.sig"
           sig_relpath = run_cmd("find ${TMP_SIG_DIR} -type f -print -quit | grep .")
           println "Downloaded signature to workspace: ${sig_relpath}"
-          sh "nix run github:tiiuae/ci-yubi/bdb2dbf#verify -- --path ${img_relpath} --sigfile ${sig_relpath}"
+          sh "nix run github:tiiuae/ci-yubi/bdb2dbf#verify -- --path ${img_relpath} --sigfile ${sig_relpath} --cert INT-Ghaf-Devenv-Image"
           // Uncompress, keeping only the decompressed image file
           if(img_relpath.endsWith("zst")) {
             sh "zstd -dfv ${img_relpath} && rm ${img_relpath}"

diff --git a/ghaf-main-pipeline.groovy b/ghaf-main-pipeline.groovy
@@ -103,7 +103,7 @@ pipeline {
                       // only attempt signing if there is something to sign
                       if (it.archive) {
                         def img_relpath = utils.find_img_relpath(target, "archive")
-                        utils.sign_file("archive/${img_relpath}", "sig/${img_relpath}.sig")
+                        utils.sign_file("archive/${img_relpath}", "sig/${img_relpath}.sig", "INT-Ghaf-Devenv-Image")
                       }
                     } else {
                       error("Target \"${target}\" was not found in packages")

diff --git a/ghaf-parallel-hw-test.groovy b/ghaf-parallel-hw-test.groovy
@@ -169,7 +169,7 @@ pipeline {
           sh "wget -nv -P ${TMP_SIG_DIR} ${params.IMG_URL}.sig"
           sig_relpath = run_cmd("find ${TMP_SIG_DIR} -type f -print -quit | grep .")
           println "Downloaded signature to workspace: ${sig_relpath}"
-          sh "nix run github:tiiuae/ci-yubi/bdb2dbf#verify -- --path ${img_relpath} --sigfile ${sig_relpath}"
+          sh "nix run github:tiiuae/ci-yubi/bdb2dbf#verify -- --path ${img_relpath} --sigfile ${sig_relpath} --cert INT-Ghaf-Devenv-Image"
           // Uncompress, keeping only the decompressed image file
           if(img_relpath.endsWith("zst")) {
             sh "zstd -dfv ${img_relpath} && rm ${img_relpath}"

diff --git a/utils.groovy b/utils.groovy
@@ -79,7 +79,7 @@ def nix_build(String flakeref, String subdir=null) {
     if (img_relpath) {
       target_path = "${subdir}/${img_relpath}"
       sig_path = "sig/${img_relpath}.sig"
-      sign_file(target_path, sig_path)
+      sign_file(target_path, sig_path, "INT-Ghaf-Devenv-Image")
       // Archive signature file alongside the target image
       archive_artifacts("sig")
     } else {
@@ -131,7 +131,7 @@ def provenance(String flakeref, String outdir, String flakeref_trimmed) {
     sh "provenance ${flakeref} ${opts}"
     // Sign the provenance
     target_path = "${outdir}/provenance.json"
-    sign_file(target_path, "${target_path}.sig")
+    sign_file(target_path, "${target_path}.sig", "INT-Ghaf-Devenv-Provenance")
 }
 
 def sbomnix(String tool, String flakeref) {