From d721638c2d7b141c84ffe0eda9f0a9ae0e96f787 Mon Sep 17 00:00:00 2001
From: miampf <miampf@proton.me>
Date: Tue, 28 Jan 2025 15:05:12 +0100
Subject: [PATCH] Download v2.20.0 release measurements and check

---
 .../check-measurements-reproducibility.yml        | 15 +++++++++++----
 1 file changed, 11 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/check-measurements-reproducibility.yml b/.github/workflows/check-measurements-reproducibility.yml
index 01886dd75..a29c604d5 100644
--- a/.github/workflows/check-measurements-reproducibility.yml
+++ b/.github/workflows/check-measurements-reproducibility.yml
@@ -16,13 +16,20 @@ jobs:
         uses: ./.github/actions/setup_bazel_nix
         with:
           useCache: "false"
-          nixTools: systemdUkify
-      # TODO: get correct path to bazel build artifacts, generate measurements and fetch released measurements, then compare.
+          nixTools: |
+            systemdUkify
+            jd-diff-patch
       - name: Build images and produce measurements
         run: |
+          # Build required binaries
           bazel build //image/system:stable
           bazel build //image/measured-boot/cmd
           buildPath="$PWD/bazel-bin/image"
+
+          # create measurements
           cd $(mktemp -d)
-          sudo env "PATH=$PATH" "$buildPath/measured-boot/cmd/cmd_/cmd" "$buildPath/system/qemu_qemu-vtpm_stable/constellation" ./measurements.json
-          cat ./measurements.json | jq
+          sudo env "PATH=$PATH" "$buildPath/measured-boot/cmd/cmd_/cmd" "$buildPath/system/qemu_qemu-vtpm_stable/constellation" ./own-measurements.json
+
+          # download release measurements and compare
+          curl -O https://cdn.confidential.cloud/constellation/v2/ref/-/stream/stable/v2.20.0/image/measurements.json
+          jd -set ./own-measurements.json ./measurements.json