hw-test: Verify img signature before flashing

Signed-off-by: Henri Rosten <[email protected]>
tiiuae · Sep 17, 2024 · f80a154 · f80a154
1 parent 205a551
commit f80a154
Showing 1 changed file with 6 additions and 0 deletions.
diff --git a/ghaf-hw-test.groovy b/ghaf-hw-test.groovy
@@ -8,6 +8,7 @@
 def REPO_URL = 'https://github.com/tiiuae/ci-test-automation/'
 def DEF_LABEL = 'testagent'
 def TMP_IMG_DIR = 'image'
+def TMP_SIG_DIR = 'signature'
 def CONF_FILE_PATH = '/etc/jenkins/test_config.json'
 
 ////////////////////////////////////////////////////////////////////////////////
@@ -160,6 +161,11 @@ pipeline {
           """
           img_relpath = run_cmd("find ${TMP_IMG_DIR} -type f -print -quit | grep .")
           println "Downloaded image to workspace: ${img_relpath}"
+          // Verify signature using the tooling from: https://github.com/tiiuae/ci-yubi
+          sh "wget -nv -P ${TMP_SIG_DIR} ${params.IMG_URL}.sig"
+          sig_relpath = run_cmd("find ${TMP_SIG_DIR} -type f -print -quit | grep .")
+          println "Downloaded signature to workspace: ${sig_relpath}"
+          sh "nix run github:tiiuae/ci-yubi/e2aa4c6#verify -- --path ${img_relpath} --sigfile ${sig_relpath}"
           // Uncompress, keeping only the decompressed image file
           if(img_relpath.endsWith("zst")) {
             sh "zstd -dfv ${img_relpath} && rm ${img_relpath}"