From 217d9a19b0bbc4854b6b7a3a201a9265a5dd7f01 Mon Sep 17 00:00:00 2001
From: Aleksandr Tserepov-Savolainen <aleksandr.tserepov-savolainen@unikie.com>
Date: Tue, 5 Nov 2024 12:48:16 +0200
Subject: [PATCH] Split signing certs for image and provenance

Signed-off-by: Aleksandr Tserepov-Savolainen <aleksandr.tserepov-savolainen@unikie.com>
---
 ghaf-hw-test.groovy          | 2 +-
 ghaf-main-pipeline.groovy    | 2 +-
 ghaf-parallel-hw-test.groovy | 2 +-
 utils.groovy                 | 4 ++--
 4 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/ghaf-hw-test.groovy b/ghaf-hw-test.groovy
index 6a13803..3123d49 100644
--- a/ghaf-hw-test.groovy
+++ b/ghaf-hw-test.groovy
@@ -169,7 +169,7 @@ pipeline {
           sh "wget -nv -P ${TMP_SIG_DIR} ${params.IMG_URL}.sig"
           sig_relpath = run_cmd("find ${TMP_SIG_DIR} -type f -print -quit | grep .")
           println "Downloaded signature to workspace: ${sig_relpath}"
-          sh "nix run github:tiiuae/ci-yubi/bdb2dbf#verify -- --path ${img_relpath} --sigfile ${sig_relpath}"
+          sh "nix run github:tiiuae/ci-yubi/bdb2dbf#verify -- --path ${img_relpath} --sigfile ${sig_relpath} --cert INT-Ghaf-Devenv-Image"
           // Uncompress, keeping only the decompressed image file
           if(img_relpath.endsWith("zst")) {
             sh "zstd -dfv ${img_relpath} && rm ${img_relpath}"
diff --git a/ghaf-main-pipeline.groovy b/ghaf-main-pipeline.groovy
index b26a2a7..e70016a 100644
--- a/ghaf-main-pipeline.groovy
+++ b/ghaf-main-pipeline.groovy
@@ -103,7 +103,7 @@ pipeline {
                       // only attempt signing if there is something to sign
                       if (it.archive) {
                         def img_relpath = utils.find_img_relpath(target, "archive")
-                        utils.sign_file("archive/${img_relpath}", "sig/${img_relpath}.sig")
+                        utils.sign_file("archive/${img_relpath}", "sig/${img_relpath}.sig", "INT-Ghaf-Devenv-Image")
                       }
                     } else {
                       error("Target \"${target}\" was not found in packages")
diff --git a/ghaf-parallel-hw-test.groovy b/ghaf-parallel-hw-test.groovy
index 8ff26b6..16a90e8 100644
--- a/ghaf-parallel-hw-test.groovy
+++ b/ghaf-parallel-hw-test.groovy
@@ -169,7 +169,7 @@ pipeline {
           sh "wget -nv -P ${TMP_SIG_DIR} ${params.IMG_URL}.sig"
           sig_relpath = run_cmd("find ${TMP_SIG_DIR} -type f -print -quit | grep .")
           println "Downloaded signature to workspace: ${sig_relpath}"
-          sh "nix run github:tiiuae/ci-yubi/bdb2dbf#verify -- --path ${img_relpath} --sigfile ${sig_relpath}"
+          sh "nix run github:tiiuae/ci-yubi/bdb2dbf#verify -- --path ${img_relpath} --sigfile ${sig_relpath} --cert INT-Ghaf-Devenv-Image"
           // Uncompress, keeping only the decompressed image file
           if(img_relpath.endsWith("zst")) {
             sh "zstd -dfv ${img_relpath} && rm ${img_relpath}"
diff --git a/utils.groovy b/utils.groovy
index 0a598bb..1cebab7 100644
--- a/utils.groovy
+++ b/utils.groovy
@@ -79,7 +79,7 @@ def nix_build(String flakeref, String subdir=null) {
     if (img_relpath) {
       target_path = "${subdir}/${img_relpath}"
       sig_path = "sig/${img_relpath}.sig"
-      sign_file(target_path, sig_path)
+      sign_file(target_path, sig_path, "INT-Ghaf-Devenv-Image")
       // Archive signature file alongside the target image
       archive_artifacts("sig")
     } else {
@@ -131,7 +131,7 @@ def provenance(String flakeref, String outdir, String flakeref_trimmed) {
     sh "provenance ${flakeref} ${opts}"
     // Sign the provenance
     target_path = "${outdir}/provenance.json"
-    sign_file(target_path, "${target_path}.sig")
+    sign_file(target_path, "${target_path}.sig", "INT-Ghaf-Devenv-Provenance")
 }
 
 def sbomnix(String tool, String flakeref) {