From a825832e8bac2109dab7c3332cd99fe349a96fff Mon Sep 17 00:00:00 2001
From: Jay <jayhou@google.com>
Date: Wed, 27 Sep 2023 12:22:49 +0000
Subject: [PATCH] Add a Cloud Build step to write the signed manifest to the
 transparency log.

---
 release/README.md                            | 12 ++--
 release/cloudbuild_withsecure_signature.yaml | 70 ++++++++++++--------
 2 files changed, 52 insertions(+), 30 deletions(-)

diff --git a/release/README.md b/release/README.md
index c9a4dbb..efa3e95 100644
--- a/release/README.md
+++ b/release/README.md
@@ -38,14 +38,18 @@ Since it is stored in the public GCS bucket, it can be read by WithSecure.
 
 WithSecure is notified of a release, and they reference the manifest for build
 details. After auditing it, and they add their signature of the manifest to the
-note as well before writing it to this repo. Once complete, they tag a release
-in this repo in the format `withsecure_vX.X.X`.
+note as well before writing it to this repo as
+`$_WITHSECURE_DIR/withsecure_vX.X.X.txt` (as defined in the yaml). Once
+complete, they tag a release in this repo in the format `withsecure_vX.X.X`.
 
 ### Release completion
 
 Finally, the trigger defined on `cloudbuild_withsecure_signature.yaml` reads the
-signed note written to this repository by WithSecure and adds it as an entry to
-the public firmware transparency log.
+signed note written to this repository by WithSecure and adds it to the
+artifacts bucket and the public firmware transparency log.
+
+The Trusted OS elf should only be used if both Transparency.dev and WithSecure
+signatures are verified successfully.
 
 TODO: add links for the GCS buckets once public.
 
diff --git a/release/cloudbuild_withsecure_signature.yaml b/release/cloudbuild_withsecure_signature.yaml
index adbecc1..b53ee67 100644
--- a/release/cloudbuild_withsecure_signature.yaml
+++ b/release/cloudbuild_withsecure_signature.yaml
@@ -1,28 +1,18 @@
-# This Cloud Build trigger copies the WithSecure signature for a certain
-# Trusted OS release version to the bucket (and "subdir") that contains the
-# Trusted OS as built by transparency.dev and the detached signature as signed
-# by transparency.dev.
+# See README.md in this directory for an overview of the release process.
 #
-# This is the second Cloud Build trigger for a given release. The first should
-# have already created the Trusted OS elf file and the transparency.dev
-# detached signature.
-#
-# The Trusted OS elf should only be used if both signatures are verified
-# successfully.
-#
-#### WithSecure Expectations ####
-#
-# WithSecure is expected to commit a signature file in the _WITHSECURE_DIR dir
-# of the Github repo for each release, and tag it with the pattern
-# `withsecure_vX.X.X`.
+# This Cloud Build trigger:
+# 1. copies the manifest of a Trusted OS release signed in the
+#    [note format](https://pkg.go.dev/golang.org/x/mod/sumdb/note) by
+#    WithSecure and Transparency.dev to a corresponding Google Cloud Storage
+#    bucket (and "subdir"). This bucket should already contain the Trusted OS
+#    elf file as built by transparency.dev.
+# 2. writes the signed manifest to the Armored Witness firmware transparency
+#    log.
 #
-# Cloud Build infers the name of the file from the tag name by appending the
-# `.sig` file suffix. The expected signature file name is
-# `withsecure_vX.X.X.sig`.
-#
-# After Cloud Build locates the signature file, it copies the file to the
-# proper "subdir" (as mentioned above).
+# This is the second Cloud Build trigger for a given release. The first should
+# have already created the Trusted OS elf file.
 steps:
+  ### Copy the signed manifest to the artifacts bucket containing the ELF.
   # Get version number (expected to be in the `X.X.X` format) from the tag name
   # by removing the `withsecure_v` prefix. The version number is used as the
   # "subdir" under _TRUSTED_OS_BUCKET.
@@ -31,13 +21,41 @@ steps:
     args:
       - -c
       - >-
-        gcloud storage cp ${_WITHSECURE_DIR}/${_TEST_TAG_NAME}.sig
-        gs://${_TRUSTED_OS_BUCKET}/$(echo ${_TEST_TAG_NAME} | sed -e "s/^withsecure_v//")/trusted_os_withsecure.sig
+        gcloud storage cp ${_WITHSECURE_DIR}/${_TEST_TAG_NAME}.txt
+        gs://${_TRUSTED_OS_BUCKET}/$(echo ${_TEST_TAG_NAME} | sed -e "s/^withsecure_v//")/trusted_os_manifest.txt
+  ### Write the firmware release to the transparency log.
+  # Copy the signed note to the sequence bucket, preparing to write to log.
+  - name: gcr.io/cloud-builders/gcloud
+    args:
+      - storage
+      - cp
+      - ${_WITHSECURE_DIR}/${_TEST_TAG_NAME}.txt
+      - 'gs://${_LOG_NAME}/${_ENTRIES_DIR}/trusted_os_manifest.txt'
+  # Sequence log entry.
+  - name: gcr.io/cloud-builders/gcloud
+    args:
+      - functions
+      - call
+      - sequence
+      - '--data'
+      - '{"entriesDir": "${_ENTRIES_DIR}", "origin": "${_ORIGIN}", "bucket": "${_LOG_NAME}"}'
+  # Integrate log entry.
+  - name: gcr.io/cloud-builders/gcloud
+    args:
+      - functions
+      - call
+      - integrate
+      - '--data'
+      - '{"origin": "${_ORIGIN}", "bucket": "${_LOG_NAME}"}'
 
-  ### TODO(jayhou): Write the firmware release to the transparency log.
 substitutions:
   # TODO(jayhou): do not use CI bucket when we flip this trigger to prod.
   _TRUSTED_OS_BUCKET: trusted-os-artifacts-ci
   _WITHSECURE_DIR: release/withsecure
   # TODO(jayhou): remove this when we flip this trigger to prod.
-  _TEST_TAG_NAME: withsecure_v0.1.2
\ No newline at end of file
+  _TEST_TAG_NAME: withsecure_v0.1.2
+  # Log-related.
+  _ENTRIES_DIR: firmware-log-sequence
+  _ORIGIN: transparency.dev/armored-witness/firmware_transparency/ci/0
+  # TODO(jayhou): do not use CI bucket when we flip this trigger to prod.
+  _LOG_NAME: firmware-log-ci
\ No newline at end of file