tiiuae · henrirosten · Sep 26, 2024 · Sep 25, 2024
diff --git a/ghaf-hw-test.groovy b/ghaf-hw-test.groovy
@@ -8,6 +8,7 @@
 def REPO_URL = 'https://github.com/tiiuae/ci-test-automation/'
 def DEF_LABEL = 'testagent'
 def TMP_IMG_DIR = 'image'
+def TMP_SIG_DIR = 'signature'
 def CONF_FILE_PATH = '/etc/jenkins/test_config.json'
 
 ////////////////////////////////////////////////////////////////////////////////
@@ -160,6 +161,11 @@ pipeline {
           """
           img_relpath = run_cmd("find ${TMP_IMG_DIR} -type f -print -quit | grep .")
           println "Downloaded image to workspace: ${img_relpath}"
+          // Verify signature using the tooling from: https://github.com/tiiuae/ci-yubi
+          sh "wget -nv -P ${TMP_SIG_DIR} ${params.IMG_URL}.sig"
+          sig_relpath = run_cmd("find ${TMP_SIG_DIR} -type f -print -quit | grep .")
+          println "Downloaded signature to workspace: ${sig_relpath}"
+          sh "nix run github:tiiuae/ci-yubi/bdb2dbf#verify -- --path ${img_relpath} --sigfile ${sig_relpath}"
           // Uncompress, keeping only the decompressed image file
           if(img_relpath.endsWith("zst")) {
             sh "zstd -dfv ${img_relpath} && rm ${img_relpath}"

diff --git a/tests/x-ghaf-hw-test.groovy b/tests/x-ghaf-hw-test.groovy
@@ -165,6 +165,10 @@ pipeline {
           // env.IMG_WGET stores the path to image as downloaded from the remote
           env.IMG_WGET = run_wget(params.IMG_URL, TMP_IMG_DIR)
           println "Downloaded image to workspace: ${env.IMG_WGET}"
+          // Verify signature using the tooling from: https://github.com/tiiuae/ci-yubi
+          sig_path = run_wget("${params.IMG_URL}.sig", TMP_IMG_DIR)
+          println "Downloaded signature to workspace: ${sig_path}"
+          sh "nix run github:tiiuae/ci-yubi/bdb2dbf#verify -- --path ${env.IMG_WGET} --sigfile ${sig_path}"
           // Uncompress
           if(env.IMG_WGET.endsWith(".zst")) {
             sh "zstd -dfv ${env.IMG_WGET}"