constellation/bazel/osimage/upload_os_images.sh.in
Malte Poll f237ae8ae2 bazel: add upload_os_images rule
This rule combines uplosi, the upload command, measurement code and cosign
to upload OS images, extract measurements, sign them and upload the measurements.
2024-01-15 13:53:15 +01:00

145 lines
4.2 KiB
Bash

#!/usr/bin/env bash
set -euo pipefail
shopt -s inherit_errexit
# This script handles the upload of OS images and their corresponding image info.
POSITIONAL_ARGS=()
ref=""
upload_signed_measurements=0
fake_sign=0
while [[ $# -gt 0 ]]; do
case $1 in
--ref)
ref="$2"
shift # past argument
shift # past value
;;
--upload-measurements)
upload_signed_measurements=1
shift # past argument
;;
--fake-sign)
fake_sign=1
shift # past argument
;;
-*)
echo "Unknown option $1"
exit 1
;;
*)
POSITIONAL_ARGS+=("$1") # save positional arg
shift # past argument
;;
esac
done
set -- "${POSITIONAL_ARGS[@]}" # restore positional parameters
if [[ $# -ne 0 ]]; then
echo "Unknown positional arguments: $*"
exit 1
fi
if [[ -z ${ref} ]]; then
echo "Missing required argument --ref"
exit 1
fi
version_file=$(realpath @@VERSION@@)
stat "${version_file}" >> /dev/null
version=$(cat "${version_file}")
uplosi=$(realpath @@UPLOSI@@)
stat "${uplosi}" >> /dev/null
systemd_dissect=$(realpath @@DISSECT_TOOLCHAIN@@)
stat "${systemd_dissect}" >> /dev/null
export DISSECT_TOOLCHAIN="${systemd_dissect}"
cosign=$(realpath @@COSIGN@@)
stat "${cosign}" >> /dev/null
rekor_cli=$(realpath @@REKOR_CLI@@)
stat "${rekor_cli}" >> /dev/null
upload_cli=$(realpath @@UPLOAD_CLI@@)
stat "${upload_cli}" >> /dev/null
measured_boot=$(realpath @@MEASURED_BOOT@@)
stat "${measured_boot}" >> /dev/null
parallel=$(realpath @@PARALLEL@@)
stat "${parallel}" >> /dev/null
FILES=(@@FILES@@)
workspace=$(mktemp -d)
# shellcheck disable=SC2064
trap "rm -rf ${workspace}" EXIT
echo Uploading "${#FILES[@]}" OS images. This may take a while... >&2
"${parallel}" --will-cite \
"${upload_cli}" uplosi \
--uplosi-path "${uplosi}" \
--version "${version}" \
--ref "${ref}" \
--raw-image {} \
--out "${workspace}/image-upload-{#}.json" \
::: "${FILES[@]}"
"${upload_cli}" info "${workspace}/"image-upload-*.json
if [[ ${upload_signed_measurements} -eq 0 ]]; then
echo "Skipping signed measurements upload. Enable by setting --upload-measurements" >&2
exit 0
fi
echo Uploading signed measurements. This requires sudo and a signing key. >&2
i=1
for file in "${FILES[@]}"; do
combined_name=$(basename "$(dirname "${file}")")
IFS="_" read -r csp attestation_variant stream <<< "${combined_name}"
sudo -E "${measured_boot}" "${file}" "${workspace}/pcrs-${i}.json"
sudo chown "$(id -u -n)" "${workspace}/pcrs-${i}.json"
"${upload_cli}" measurements envelope \
--in "${workspace}/pcrs-${i}.json" \
--out "${workspace}/pcrs-${i}.json" \
--version "ref/${ref}/stream/${stream}/${version}" \
--csp "${csp}" \
--attestation-variant "${attestation_variant}"
i=$((i + 1))
done
"${upload_cli}" measurements merge \
--out "${workspace}/measurements.json" \
"${workspace}"/pcrs-*.json
if [[ ${fake_sign} -eq 1 ]]; then
echo "Skipping signing of measurements and using fake signature instead (--fake-sign is set)." >&2
echo "THOSE MEASUREMENTS BELONG TO A DEBUG IMAGE. THOSE ARE NOT SINGED BY ANY KEY." > "${workspace}/measurements.json.sig"
else
# shellcheck disable=SC2016
echo 'Creating real signature with keys referenced in $COSIGN_PUBLIC_KEY_PATH, $COSIGN_PRIVATE_KEY and $COSIGN_PASSWORD. Set "--fake-sign" for debugging purposes.' >&2
# Enabling experimental mode also publishes signature to Rekor
COSIGN_EXPERIMENTAL=1 "${cosign}" sign-blob --yes --key env://COSIGN_PRIVATE_KEY \
"${workspace}/measurements.json" > "${workspace}/measurements.json.sig"
# Verify - As documentation & check
# Local Signature (input: artifact, key, signature)
"${cosign}" verify-blob --key "${COSIGN_PUBLIC_KEY_PATH}" \
--signature "${workspace}/measurements.json.sig" \
"${workspace}/measurements.json"
# Transparency Log Signature (input: artifact, key)
uuid=$("${rekor_cli}" search --artifact "${workspace}/measurements.json" | tail -n 1)
sig=$("${rekor_cli}" get --uuid="${uuid}" --format=json | jq -r .Body.HashedRekordObj.signature.content)
"${cosign}" verify-blob --key "${COSIGN_PUBLIC_KEY_PATH}" --signature <(echo "${sig}") "${workspace}/measurements.json"
fi
"${upload_cli}" measurements upload \
--measurements "${workspace}/measurements.json" \
--signature "${workspace}/measurements.json.sig"