feat: have repros sign digests target

tkhq · Oct 18, 2024 · edbeda3 · edbeda3
1 parent 276b96b
commit edbeda3
Show file tree

Hide file tree

Showing 3 changed files with 20 additions and 2 deletions.
diff --git a/.repros/config.yml b/.repros/config.yml
@@ -1,7 +1,7 @@
 build:
   command: make
 sign:
-  file: out/manifest.txt
+  file: out/digests.txt
   format: raw
   method: ssh
   backing: tpm

diff --git a/Makefile b/Makefile
@@ -3,7 +3,10 @@ include src/macros.mk
 REGISTRY := local
 .DEFAULT_GOAL :=
 .PHONY: default
-default: \
+default: out/digests.txt
+
+.PHONY: all
+all: \
 	out/qos_client/index.json \
 	out/qos_host/index.json \
 	out/qos_enclave/index.json
@@ -39,6 +42,9 @@ shell: out/.common-loaded
 		qos-local/common:latest \
 		/bin/bash
 
+out/digests.txt: all
+	@$(call digests) > $@
+
 out/nitro.pcrs: out/qos_enclave.tar
 	@$(call run,/src/scripts/extract_oci_file.sh qos_enclave.tar nitro.pcrs)
 

diff --git a/src/macros.mk b/src/macros.mk
@@ -13,6 +13,18 @@ define run
 		/bin/sh -c "set -eu; $(1)"
 endef
 
+define digests
+	find out -iname "index.json" \
+	| awk -F/ '{print $$2}' \
+	| sort \
+	| while IFS= read -r package; do \
+	    jq \
+	        -jr '.manifests[].digest | sub ("sha256:";"")' \
+	        out/$${package}/index.json; \
+	    printf " %s\n" "$${package}"; \
+	done
+endef
+
 define build_context
 $$( \
 	self=$(1); \