From 4e6f44e7b8d2b162f201bdd82b2dca691dc42258 Mon Sep 17 00:00:00 2001
From: Krzesimir Nowak <knowak@microsoft.com>
Date: Mon, 11 Jul 2022 20:09:58 +0200
Subject: [PATCH] ci-automation: Generate digests files for the built artifacts

---
 ci-automation/ci_automation_common.sh |  3 ++-
 ci-automation/image.sh                |  2 ++
 ci-automation/packages.sh             |  6 +++++-
 ci-automation/sdk_bootstrap.sh        | 11 +++++++----
 ci-automation/sdk_container.sh        |  1 +
 ci-automation/vms.sh                  |  2 ++
 6 files changed, 19 insertions(+), 6 deletions(-)

diff --git a/ci-automation/ci_automation_common.sh b/ci-automation/ci_automation_common.sh
index 903925d6bd..e1a96e563a 100644
--- a/ci-automation/ci_automation_common.sh
+++ b/ci-automation/ci_automation_common.sh
@@ -187,7 +187,8 @@ function docker_image_to_buildcache() {
     local tarball="$(basename "$image")-${version}.tar.gz"
 
     $docker save "${image}":"${version}" | $PIGZ -c > "${tarball}"
-    sign_artifacts "${SIGNER:-}" "${tarball}"
+    create_digests "${SIGNER:-}" "${tarball}"
+    sign_artifacts "${SIGNER:-}" "${tarball}"*
     copy_to_buildcache "containers/${version}" "${tarball}"*
 }
 # --
diff --git a/ci-automation/image.sh b/ci-automation/image.sh
index e1d796b093..83fc2a30ba 100644
--- a/ci-automation/image.sh
+++ b/ci-automation/image.sh
@@ -39,6 +39,7 @@
 #   2. "./ci-cleanup.sh" with commands to clean up temporary build resources,
 #        to be run after this step finishes / when this step is aborted.
 #   3. If signer key was passed, signatures of artifacts from point 1, pushed along to buildcache.
+#   4. DIGESTS of the artifacts from point 1, pushed to buildcache. If signer key was passed, armored ASCII files of the generated DIGESTS files too, pushed to buildcache.
 
 function image_build() {
     # Run a subshell, so the traps, environment changes and global
@@ -105,6 +106,7 @@ function _image_build_impl() {
 
     # Delete uncompressed generic image before signing and upload
     rm "images/latest/flatcar_production_image.bin" "images/latest/flatcar_production_update.bin"
+    create_digests "${SIGNER}" "images/latest/"*
     sign_artifacts "${SIGNER}" "images/latest/"*
     copy_to_buildcache "images/${arch}/${vernum}/" "images/latest/"*
 
diff --git a/ci-automation/packages.sh b/ci-automation/packages.sh
index a6813e280a..77ab19aa28 100644
--- a/ci-automation/packages.sh
+++ b/ci-automation/packages.sh
@@ -64,6 +64,7 @@
 #   3. "./ci-cleanup.sh" with commands to clean up temporary build resources,
 #        to be run after this step finishes / when this step is aborted.
 #   4. If signer key was passed, signatures of artifacts from point 1, pushed along to buildcache.
+#   5. DIGESTS of the artifacts from point 1, pushed to buildcache. If signer key was passed, armored ASCII files of the generated DIGESTS files too, pushed to buildcache.
 
 function packages_build() {
     # Run a subshell, so the traps, environment changes and global
@@ -175,9 +176,12 @@ function _packages_build_impl() {
     docker_commit_to_buildcache "${packages_container}" "${packages_image}" "${docker_vernum}"
 
     # Publish torcx manifest and docker tarball to "images" cache so tests can pull it later.
-    sign_artifacts "${SIGNER}" \
+    create_digests "${SIGNER}" \
         "${torcx_tmp}/torcx/${arch}-usr/latest/torcx_manifest.json" \
         "${torcx_tmp}/torcx/pkgs/${arch}-usr/docker/"*/*.torcx.tgz
+    sign_artifacts "${SIGNER}" \
+        "${torcx_tmp}/torcx/${arch}-usr/latest/torcx_manifest.json"* \
+        "${torcx_tmp}/torcx/pkgs/${arch}-usr/docker/"*/*.torcx.tgz*
     copy_to_buildcache "images/${arch}/${vernum}/torcx" \
         "${torcx_tmp}/torcx/${arch}-usr/latest/torcx_manifest.json"*
     copy_to_buildcache "images/${arch}/${vernum}/torcx" \
diff --git a/ci-automation/sdk_bootstrap.sh b/ci-automation/sdk_bootstrap.sh
index b35f4192ca..b2e53d0b07 100644
--- a/ci-automation/sdk_bootstrap.sh
+++ b/ci-automation/sdk_bootstrap.sh
@@ -56,6 +56,7 @@
 #   3. "./ci-cleanup.sh" with commands to clean up temporary build resources,
 #        to be run after this step finishes / when this step is aborted.
 #   4. If signer key was passed, signatures of artifacts from point 1, pushed along to buildcache.
+#   5. DIGESTS of the artifacts from point 1, pushed to buildcache. If signer key was passed, armored ASCII files of the generated DIGESTS files too, pushed to buildcache.
 
 function sdk_bootstrap() {
     # Run a subshell, so the traps, environment changes and global
@@ -141,9 +142,11 @@ function _sdk_bootstrap_impl() {
     local uid=$(id --user)
     local gid=$(id --group)
     sudo chown --recursive "${uid}:${gid}" __build__
-    cd "__build__/images/catalyst/builds/flatcar-sdk"
-    sign_artifacts "${SIGNER}" "${dest_tarball}"*
-    copy_to_buildcache "sdk/${ARCH}/${FLATCAR_SDK_VERSION}" "${dest_tarball}"*
-    cd -
+    (
+      cd "__build__/images/catalyst/builds/flatcar-sdk"
+      create_digests "${SIGNER}" "${dest_tarball}"
+      sign_artifacts "${SIGNER}" "${dest_tarball}"*
+      copy_to_buildcache "sdk/${ARCH}/${FLATCAR_SDK_VERSION}" "${dest_tarball}"*
+    )
 }
 # --
diff --git a/ci-automation/sdk_container.sh b/ci-automation/sdk_container.sh
index 0677743b8a..fa77faa356 100644
--- a/ci-automation/sdk_container.sh
+++ b/ci-automation/sdk_container.sh
@@ -37,6 +37,7 @@
 #   2. "./ci-cleanup.sh" with commands to clean up temporary build resources,
 #        to be run after this step finishes / when this step is aborted.
 #   3. If signer key was passed, signatures of artifacts from point 1, pushed along to buildcache.
+#   4. DIGESTS of the artifacts from point 1, pushed to buildcache. If signer key was passed, armored ASCII files of the generated DIGESTS files too, pushed to buildcache.
 
 function sdk_container_build() {
     # Run a subshell, so the traps, environment changes and global
diff --git a/ci-automation/vms.sh b/ci-automation/vms.sh
index b832ab0084..60765b9bd3 100644
--- a/ci-automation/vms.sh
+++ b/ci-automation/vms.sh
@@ -42,6 +42,7 @@
 #   2. "./ci-cleanup.sh" with commands to clean up temporary build resources,
 #        to be run after this step finishes / when this step is aborted.
 #   3. If signer key was passed, signatures of artifacts from point 1, pushed along to buildcache.
+#   4. DIGESTS of the artifacts from point 1, pushed to buildcache. If signer key was passed, armored ASCII files of the generated DIGESTS files too, pushed to buildcache.
 
 function vm_build() {
     # Run a subshell, so the traps, environment changes and global
@@ -131,6 +132,7 @@ function _vm_build_impl() {
         -v "${vernum}" \
         mv "${CONTAINER_IMAGE_ROOT}/${arch}-usr/" "./${images_out}/"
 
+    create_digests "${SIGNER}" "images/latest/"*
     sign_artifacts "${SIGNER}" "images/latest/"*
     copy_to_buildcache "images/${arch}/${vernum}/" "images/latest/"*
 }