From f80a154e45239d9974e4f3c1575d24521e29b593 Mon Sep 17 00:00:00 2001
From: Henri Rosten <henri.rosten@unikie.com>
Date: Mon, 16 Sep 2024 12:57:39 +0300
Subject: [PATCH] hw-test: Verify img signature before flashing

Signed-off-by: Henri Rosten <henri.rosten@unikie.com>
---
 ghaf-hw-test.groovy | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/ghaf-hw-test.groovy b/ghaf-hw-test.groovy
index 9c52f19..3d7a262 100644
--- a/ghaf-hw-test.groovy
+++ b/ghaf-hw-test.groovy
@@ -8,6 +8,7 @@
 def REPO_URL = 'https://github.com/tiiuae/ci-test-automation/'
 def DEF_LABEL = 'testagent'
 def TMP_IMG_DIR = 'image'
+def TMP_SIG_DIR = 'signature'
 def CONF_FILE_PATH = '/etc/jenkins/test_config.json'
 
 ////////////////////////////////////////////////////////////////////////////////
@@ -160,6 +161,11 @@ pipeline {
           """
           img_relpath = run_cmd("find ${TMP_IMG_DIR} -type f -print -quit | grep .")
           println "Downloaded image to workspace: ${img_relpath}"
+          // Verify signature using the tooling from: https://github.com/tiiuae/ci-yubi
+          sh "wget -nv -P ${TMP_SIG_DIR} ${params.IMG_URL}.sig"
+          sig_relpath = run_cmd("find ${TMP_SIG_DIR} -type f -print -quit | grep .")
+          println "Downloaded signature to workspace: ${sig_relpath}"
+          sh "nix run github:tiiuae/ci-yubi/e2aa4c6#verify -- --path ${img_relpath} --sigfile ${sig_relpath}"
           // Uncompress, keeping only the decompressed image file
           if(img_relpath.endsWith("zst")) {
             sh "zstd -dfv ${img_relpath} && rm ${img_relpath}"