Skip to content

Notary Server SGX Attestation Template #4

Notary Server SGX Attestation Template

Notary Server SGX Attestation Template #4

Workflow file for this run

name: Create New SGX Report
on: push
jobs:
build_and_generate_report:
runs-on: ubuntu-latest
permissions:
id-token: write
contents: read
attestations: write
defaults:
run:
shell: bash
working-directory: ./notary-server
name: install Gramine
steps:
- name: get src
uses: actions/checkout@v4
with:
ref: ${{ github.ref }}
- name: add gramine key
run: |
sudo curl -fsSLo /usr/share/keyrings/gramine-keyring.gpg https://packages.gramineproject.io/gramine-keyring.gpg
echo "deb [arch=amd64 signed-by=/usr/share/keyrings/gramine-keyring.gpg] https://packages.gramineproject.io/ $(lsb_release -sc) main" | sudo tee /etc/apt/sources.list.d/gramine.list
- name: apt get
uses: awalsh128/cache-apt-pkgs-action@latest
with:
packages: rustc cargo gramine cmake clang gramine
version: 1.1
execute_install_scripts: true
- name: Set PATH
run: echo "export PATH=\$PATH:/usr/local/bin:/usr/bin" >> $GITHUB_ENV
- name: generate manifest and sig
run: |
make
/usr/bin/gramine-sgx-gen-private-key -f
/usr/bin/gramine-sgx-sign -v --manifest notary-server.manifest --output notary-server.sgx
- name: capture sig
id: sigstruct
run: |
sigview=`/usr/bin/gramine-sgx-sigstruct-view notary-server.sig`
{
echo 'SGX_REPORT<<EOF'
echo "$sigview"
echo EOF
} >> "$GITHUB_ENV"
echo "$sigview"
- name: upload artifact
- run: mkdir -p /attestations
- run: echo "${{ env.SGX_REPORT }}" > /attestations
- uses: actions/upload-artifact@v4
with:
path: /attestations/notary-server.sig
- name: get github to sign our measurement
uses: actions/attest-build-provenance@v1
with:
subject-path: /attestations/notary-server.sig