Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add a Cloud Build step to write the signed manifest to the transparency log. #67

Merged
merged 1 commit into from
Sep 27, 2023
Merged

Add a Cloud Build step to write the signed manifest to the transparency log. #67

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 8 additions & 4 deletions release/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -38,14 +38,18 @@ Since it is stored in the public GCS bucket, it can be read by WithSecure.

WithSecure is notified of a release, and they reference the manifest for build
details. After auditing it, and they add their signature of the manifest to the
note as well before writing it to this repo. Once complete, they tag a release
in this repo in the format `withsecure_vX.X.X`.
note as well before writing it to this repo as
`$_WITHSECURE_DIR/withsecure_vX.X.X.txt` (as defined in the yaml). Once
complete, they tag a release in this repo in the format `withsecure_vX.X.X`.

### Release completion

Finally, the trigger defined on `cloudbuild_withsecure_signature.yaml` reads the
signed note written to this repository by WithSecure and adds it as an entry to
the public firmware transparency log.
signed note written to this repository by WithSecure and adds it to the
artifacts bucket and the public firmware transparency log.

The Trusted OS elf should only be used if both Transparency.dev and WithSecure
signatures are verified successfully.

TODO: add links for the GCS buckets once public.

Expand Down
70 changes: 44 additions & 26 deletions release/cloudbuild_withsecure_signature.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,28 +1,18 @@
# This Cloud Build trigger copies the WithSecure signature for a certain
# Trusted OS release version to the bucket (and "subdir") that contains the
# Trusted OS as built by transparency.dev and the detached signature as signed
# by transparency.dev.
# See README.md in this directory for an overview of the release process.
#
# This is the second Cloud Build trigger for a given release. The first should
# have already created the Trusted OS elf file and the transparency.dev
# detached signature.
#
# The Trusted OS elf should only be used if both signatures are verified
# successfully.
#
#### WithSecure Expectations ####
#
# WithSecure is expected to commit a signature file in the _WITHSECURE_DIR dir
# of the Github repo for each release, and tag it with the pattern
# `withsecure_vX.X.X`.
# This Cloud Build trigger:
# 1. copies the manifest of a Trusted OS release signed in the
# [note format](https://pkg.go.dev/golang.org/x/mod/sumdb/note) by
# WithSecure and Transparency.dev to a corresponding Google Cloud Storage
# bucket (and "subdir"). This bucket should already contain the Trusted OS
# elf file as built by transparency.dev.
# 2. writes the signed manifest to the Armored Witness firmware transparency
# log.
#
# Cloud Build infers the name of the file from the tag name by appending the
# `.sig` file suffix. The expected signature file name is
# `withsecure_vX.X.X.sig`.
#
# After Cloud Build locates the signature file, it copies the file to the
# proper "subdir" (as mentioned above).
# This is the second Cloud Build trigger for a given release. The first should
# have already created the Trusted OS elf file.
steps:
### Copy the signed manifest to the artifacts bucket containing the ELF.
# Get version number (expected to be in the `X.X.X` format) from the tag name
# by removing the `withsecure_v` prefix. The version number is used as the
# "subdir" under _TRUSTED_OS_BUCKET.
Expand All @@ -31,13 +21,41 @@ steps:
args:
- -c
- >-
gcloud storage cp ${_WITHSECURE_DIR}/${_TEST_TAG_NAME}.sig
gs://${_TRUSTED_OS_BUCKET}/$(echo ${_TEST_TAG_NAME} | sed -e "s/^withsecure_v//")/trusted_os_withsecure.sig
gcloud storage cp ${_WITHSECURE_DIR}/${_TEST_TAG_NAME}.txt
gs://${_TRUSTED_OS_BUCKET}/$(echo ${_TEST_TAG_NAME} | sed -e "s/^withsecure_v//")/trusted_os_manifest.txt
### Write the firmware release to the transparency log.
# Copy the signed note to the sequence bucket, preparing to write to log.
- name: gcr.io/cloud-builders/gcloud
args:
- storage
- cp
- ${_WITHSECURE_DIR}/${_TEST_TAG_NAME}.txt
- 'gs://${_LOG_NAME}/${_ENTRIES_DIR}/trusted_os_manifest.txt'
# Sequence log entry.
- name: gcr.io/cloud-builders/gcloud
args:
- functions
- call
- sequence
- '--data'
- '{"entriesDir": "${_ENTRIES_DIR}", "origin": "${_ORIGIN}", "bucket": "${_LOG_NAME}"}'
# Integrate log entry.
- name: gcr.io/cloud-builders/gcloud
args:
- functions
- call
- integrate
- '--data'
- '{"origin": "${_ORIGIN}", "bucket": "${_LOG_NAME}"}'

### TODO(jayhou): Write the firmware release to the transparency log.
substitutions:
# TODO(jayhou): do not use CI bucket when we flip this trigger to prod.
_TRUSTED_OS_BUCKET: trusted-os-artifacts-ci
_WITHSECURE_DIR: release/withsecure
# TODO(jayhou): remove this when we flip this trigger to prod.
_TEST_TAG_NAME: withsecure_v0.1.2
_TEST_TAG_NAME: withsecure_v0.1.2
# Log-related.
_ENTRIES_DIR: firmware-log-sequence
_ORIGIN: transparency.dev/armored-witness/firmware_transparency/ci/0
# TODO(jayhou): do not use CI bucket when we flip this trigger to prod.
_LOG_NAME: firmware-log-ci