From 077f17fb05432964553e17815094610c9d3f42a8 Mon Sep 17 00:00:00 2001 From: Hendrik Eeckhaut Date: Fri, 28 Feb 2025 08:55:44 +0100 Subject: [PATCH 01/11] ci: calculate SGX mr_enclave for notary server in gramine docker --- .github/workflows/ci.yml | 109 ++++++++++++++++++++++++++++++++++++++- 1 file changed, 107 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 619d2e6dce..48b16f5829 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -17,7 +17,7 @@ env: # - https://github.com/privacy-scaling-explorations/mpz/issues/178 # 32 seems to be big enough for the foreseeable future RAYON_NUM_THREADS: 32 - + GIT_COMMIT_HASH: ${{ github.event.pull_request.head.sha || github.sha }} jobs: fmt: name: Check formatting @@ -38,6 +38,7 @@ jobs: - name: Check formatting run: cargo +nightly fmt --check --all + build-and-test: name: Build and test runs-on: ubuntu-latest @@ -62,6 +63,7 @@ jobs: - name: Test run: cargo test + wasm: name: Build and Test wasm runs-on: ubuntu-latest @@ -136,6 +138,7 @@ jobs: - name: Run integration tests run: cargo test --profile tests-integration --workspace --exclude tlsn-tls-client --exclude tlsn-tls-core -- --include-ignored + coverage: runs-on: ubuntu-latest env: @@ -155,4 +158,106 @@ jobs: with: token: ${{ secrets.CODECOV_TOKEN }} files: lcov.info - fail_ci_if_error: true \ No newline at end of file + fail_ci_if_error: true + + build-sgx: + runs-on: ubuntu-latest + needs: build-and-test + container: + image: rust:latest + + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + - name: Install Clang + run: | + apt update + apt install -y clang + + - name: Cache Cargo Dependencies + uses: actions/cache@v4 + with: + path: | + ~/.cargo/registry + ~/.cargo/git + target + key: rust-cache-${{ runner.os }}-${{ hashFiles('**/Cargo.lock') }} + restore-keys: | + rust-cache-${{ runner.os }}- + + - name: Build Rust Binary + run: | + cargo build --bin notary-server --release --features tee_quote + cp --verbose target/release/notary-server $GITHUB_WORKSPACE + + - name: Upload Binary for use in the Gramine Job + uses: actions/upload-artifact@v4 + with: + name: notary-server + path: notary-server + if-no-files-found: error + retention-days: 1 # Auto-delete after 1 day, no need to keep it around because it is part of the zipfile b + + gramine-sgx: + runs-on: ubuntu-latest + needs: build-sgx + environment: tee + container: + image: gramineproject/gramine:latest + + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + - name: Restore SGX signing key from secrets + run: | + mkdir -p "${HOME}/.config/gramine/" + echo "${{ secrets.SGX_SIGNING_KEY }}" > "${HOME}/.config/gramine/enclave-key.pem" + # verify key + openssl rsa -in "${HOME}/.config/gramine/enclave-key.pem" -check -noout + + - name: Download notary-server binary from build job + uses: actions/download-artifact@v4 + with: + name: notary-server + path: crates/notary/server/tee + + - name: Install jq + run: | + apt update + apt install -y jq + + - name: Run notary-server in Gramine + run: | + cd crates/notary/server/tee + + gramine-manifest \ + -Dlog_level=debug \ + -Darch_libdir=/lib/x86_64-linux-gnu \ + -Dself_exe=notary-server \ + notary-server.manifest.template \ + notary-server.manifest + + gramine-sgx-sign \ + --manifest notary-server.manifest \ + --output notary-server.manifest.sgx + + gramine-sgx-sigstruct-view --verbose --output-format=json notary-server.sig | tee >> notary-server-sigstruct.json + + mr_enclave=$(gramine-sgx-sigstruct-view --verbose --output-format=json notary-server.sig | jq .mr_enclave) + echo "mrenclave=$mr_enclave" >>"$GITHUB_OUTPUT" + echo "#### sgx mrenclave" | tee >>$GITHUB_STEP_SUMMARY + echo "\`\`\`${mr_enclave}\`\`\`" | tee >>$GITHUB_STEP_SUMMARY + + # gramine-sgx $GITHUB_WORKSPACE/tlsn/crates/notary/server/tee/notary-server + - name: Upload notary-server and signatures + uses: actions/upload-artifact@v4 + with: + name: notary-server-sgx.zip + path: | + crates/notary/server/tee/notary-server + crates/notary/server/tee/notary-server-sigstruct.json + crates/notary/server/tee/notary-server.* + crates/notary/server/tee/notary-server/config + if-no-files-found: error \ No newline at end of file From fc6f8e2cf941c1fe04f61082c049ce751783b7ce Mon Sep 17 00:00:00 2001 From: Hendrik Eeckhaut Date: Fri, 28 Feb 2025 09:57:32 +0100 Subject: [PATCH 02/11] test: different caching + remove intermediate artifact --- .github/workflows/ci.yml | 18 ++++++------------ 1 file changed, 6 insertions(+), 12 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 48b16f5829..76dcf57f94 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -175,16 +175,8 @@ jobs: apt update apt install -y clang - - name: Cache Cargo Dependencies - uses: actions/cache@v4 - with: - path: | - ~/.cargo/registry - ~/.cargo/git - target - key: rust-cache-${{ runner.os }}-${{ hashFiles('**/Cargo.lock') }} - restore-keys: | - rust-cache-${{ runner.os }}- + - name: Use caching + uses: Swatinem/rust-cache@v2.7.3 - name: Build Rust Binary run: | @@ -197,7 +189,6 @@ jobs: name: notary-server path: notary-server if-no-files-found: error - retention-days: 1 # Auto-delete after 1 day, no need to keep it around because it is part of the zipfile b gramine-sgx: runs-on: ubuntu-latest @@ -260,4 +251,7 @@ jobs: crates/notary/server/tee/notary-server-sigstruct.json crates/notary/server/tee/notary-server.* crates/notary/server/tee/notary-server/config - if-no-files-found: error \ No newline at end of file + if-no-files-found: error + - uses: geekyeggo/delete-artifact@v5 # Delete notary-server from the build job, It is part of the zipfile with the signature + with: + name: notary-server \ No newline at end of file From 8798d3b17979f1842751ff8ef206f905f688f2b5 Mon Sep 17 00:00:00 2001 From: Hendrik Eeckhaut Date: Fri, 28 Feb 2025 11:57:52 +0100 Subject: [PATCH 03/11] test --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 76dcf57f94..25c676938a 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -250,7 +250,7 @@ jobs: crates/notary/server/tee/notary-server crates/notary/server/tee/notary-server-sigstruct.json crates/notary/server/tee/notary-server.* - crates/notary/server/tee/notary-server/config + crates/notary/server/tee/notary-server/config/config.yaml if-no-files-found: error - uses: geekyeggo/delete-artifact@v5 # Delete notary-server from the build job, It is part of the zipfile with the signature with: From f10cc97ede2008b49a11749eadab71c0a1524f4d Mon Sep 17 00:00:00 2001 From: Hendrik Eeckhaut Date: Fri, 28 Feb 2025 14:17:07 +0100 Subject: [PATCH 04/11] wip --- crates/notary/server/tee/notary-server-sgx.md | 31 +++++++++++++++++++ 1 file changed, 31 insertions(+) create mode 100644 crates/notary/server/tee/notary-server-sgx.md diff --git a/crates/notary/server/tee/notary-server-sgx.md b/crates/notary/server/tee/notary-server-sgx.md new file mode 100644 index 0000000000..ed05553a5d --- /dev/null +++ b/crates/notary/server/tee/notary-server-sgx.md @@ -0,0 +1,31 @@ +To run the TLSNotary notary server in secure Intel SGX hardware, do ... + +## Make sure ... is installed + +``` +wget https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key +cat intel-sgx-deb.key | sudo tee /etc/apt/keyrings/intel-sgx-keyring.asc > /dev/null + +# Add the following repository to your sources: +echo 'deb [signed-by=/etc/apt/keyrings/intel-sgx-keyring.asc arch=amd64] https://download.01.org/intel-sgx/sgx_repo/ubuntu noble main' | sudo tee /etc/apt/sources.list.d/intel-sgx.list + + +sudo apt-get update +sudo apt-get install libsgx-epid libsgx-quote-ex libsgx-dcap-ql -y +``` + +[More info](https://download.01.org/intel-sgx/latest/dcap-latest/linux/docs/Intel_SGX_SW_Installation_Guide_for_Linux.pdf) + +## Verify the signature + +docker run --rm -v "$(pwd):/work" -w /work gramineproject/gramine:latest "gramine-sgx-sigstruct-view notary-server.sig" + + +## To run the notary + +``` +docker run -it --device /dev/sgx_enclave --device /dev/sgx_provision \ + --volume=/var/run/aesmd/aesm.socket:/var/run/aesmd/aesm.socket \ + -p 7047:7047 --rm -v "$(pwd):/work" -w /work gramineproject/gramine:latest \ + "bash -c \"mkdir -p /ephemeral && chmod u+x notary-server && gramine-sgx notary-server\"" +``` \ No newline at end of file From 2952ab1aee158045bc1969f5bc6d1ea96009cebd Mon Sep 17 00:00:00 2001 From: Hendrik Eeckhaut Date: Fri, 28 Feb 2025 14:36:07 +0100 Subject: [PATCH 05/11] test --- .github/workflows/ci.yml | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 25c676938a..1a6743657f 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -207,6 +207,9 @@ jobs: echo "${{ secrets.SGX_SIGNING_KEY }}" > "${HOME}/.config/gramine/enclave-key.pem" # verify key openssl rsa -in "${HOME}/.config/gramine/enclave-key.pem" -check -noout + # mr_signer? + echo "mr_signer?" + openssl rsa -in enclave-key.pem -pubout -outform DER | sha256sum - name: Download notary-server binary from build job uses: actions/download-artifact@v4 @@ -236,10 +239,15 @@ jobs: gramine-sgx-sigstruct-view --verbose --output-format=json notary-server.sig | tee >> notary-server-sigstruct.json - mr_enclave=$(gramine-sgx-sigstruct-view --verbose --output-format=json notary-server.sig | jq .mr_enclave) + cat notary-server-sigstruct.json + + mr_enclave=$(jq -r '.mr_enclave' notary-server-sigstruct.json) + mr_signer=$(jq -r '.mr_signer' notary-server-sigstruct.json) + echo "mrenclave=$mr_enclave" >>"$GITHUB_OUTPUT" echo "#### sgx mrenclave" | tee >>$GITHUB_STEP_SUMMARY - echo "\`\`\`${mr_enclave}\`\`\`" | tee >>$GITHUB_STEP_SUMMARY + echo "\`\`\`mr_enclave: ${mr_enclave}\`\`\`" | tee >>$GITHUB_STEP_SUMMARY + echo "\`\`\`mr_signer: ${mr_signer}\`\`\`" | tee >>$GITHUB_STEP_SUMMARY # gramine-sgx $GITHUB_WORKSPACE/tlsn/crates/notary/server/tee/notary-server - name: Upload notary-server and signatures @@ -250,7 +258,7 @@ jobs: crates/notary/server/tee/notary-server crates/notary/server/tee/notary-server-sigstruct.json crates/notary/server/tee/notary-server.* - crates/notary/server/tee/notary-server/config/config.yaml + crates/notary/server/tee/config if-no-files-found: error - uses: geekyeggo/delete-artifact@v5 # Delete notary-server from the build job, It is part of the zipfile with the signature with: From 4165870f5cee2c759781adf2fbd04e7ef1be2385 Mon Sep 17 00:00:00 2001 From: Hendrik Eeckhaut Date: Fri, 28 Feb 2025 15:23:27 +0100 Subject: [PATCH 06/11] Added documentation --- .github/workflows/ci.yml | 10 +-- crates/notary/server/tee/notary-server-sgx.md | 62 ++++++++++++++----- 2 files changed, 54 insertions(+), 18 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 1a6743657f..3c0e29612b 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -207,9 +207,6 @@ jobs: echo "${{ secrets.SGX_SIGNING_KEY }}" > "${HOME}/.config/gramine/enclave-key.pem" # verify key openssl rsa -in "${HOME}/.config/gramine/enclave-key.pem" -check -noout - # mr_signer? - echo "mr_signer?" - openssl rsa -in enclave-key.pem -pubout -outform DER | sha256sum - name: Download notary-server binary from build job uses: actions/download-artifact@v4 @@ -226,6 +223,8 @@ jobs: run: | cd crates/notary/server/tee + chmod +x notary-server + gramine-manifest \ -Dlog_level=debug \ -Darch_libdir=/lib/x86_64-linux-gnu \ @@ -257,8 +256,11 @@ jobs: path: | crates/notary/server/tee/notary-server crates/notary/server/tee/notary-server-sigstruct.json - crates/notary/server/tee/notary-server.* + crates/notary/server/tee/notary-server.sig + crates/notary/server/tee/notary-server.manifest + crates/notary/server/tee/notary-server.manifest.sgx crates/notary/server/tee/config + crates/notary/server/tee/notary-server-sgx.md if-no-files-found: error - uses: geekyeggo/delete-artifact@v5 # Delete notary-server from the build job, It is part of the zipfile with the signature with: diff --git a/crates/notary/server/tee/notary-server-sgx.md b/crates/notary/server/tee/notary-server-sgx.md index ed05553a5d..815ed7bddd 100644 --- a/crates/notary/server/tee/notary-server-sgx.md +++ b/crates/notary/server/tee/notary-server-sgx.md @@ -1,31 +1,65 @@ -To run the TLSNotary notary server in secure Intel SGX hardware, do ... +# TLSNotary Notary Server for Intel SGX -## Make sure ... is installed +This package contains the **SGX-enabled version of the TLSNotary Notary Server**, built with **Gramine** to run securely on Intel SGX hardware. Follow the instructions below to install dependencies, verify the integrity of the enclave, and launch the server. -``` +## Install Intel SGX Drivers & Runtime Dependencies + +Ensure your system has the required Intel SGX components installed. + +```sh wget https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key cat intel-sgx-deb.key | sudo tee /etc/apt/keyrings/intel-sgx-keyring.asc > /dev/null -# Add the following repository to your sources: +# Add the repository to your sources: echo 'deb [signed-by=/etc/apt/keyrings/intel-sgx-keyring.asc arch=amd64] https://download.01.org/intel-sgx/sgx_repo/ubuntu noble main' | sudo tee /etc/apt/sources.list.d/intel-sgx.list - sudo apt-get update sudo apt-get install libsgx-epid libsgx-quote-ex libsgx-dcap-ql -y ``` -[More info](https://download.01.org/intel-sgx/latest/dcap-latest/linux/docs/Intel_SGX_SW_Installation_Guide_for_Linux.pdf) +For more details, refer to the official **[Intel SGX Installation Guide](https://download.01.org/intel-sgx/latest/dcap-latest/linux/docs/Intel_SGX_SW_Installation_Guide_for_Linux.pdf).** -## Verify the signature +## Verify the Enclave Signature (`MR_ENCLAVE`, `MR_SIGNER`) -docker run --rm -v "$(pwd):/work" -w /work gramineproject/gramine:latest "gramine-sgx-sigstruct-view notary-server.sig" +Before running the Notary Server, verify that the provided **enclave signature (`.sig`)** matches the expected **`MR_ENCLAVE` and `MR_SIGNER`** values. +Run the following command inside a **Gramine Docker container** to inspect the enclave's signature: -## To run the notary - +```sh +docker run --rm -v "$(pwd):/work" -w /work gramineproject/gramine:latest \ + "gramine-sgx-sigstruct-view --verbose --output-format=json notary-server.sig" ``` -docker run -it --device /dev/sgx_enclave --device /dev/sgx_provision \ + +The output should be the same as `notary-server-sigstruct.json` + +## Run the Notary Server in SGX + +Once verification is complete, you can start the Notary Server inside a **Gramine-protected SGX enclave**. + +```sh +docker run --detach \ + --restart=unless-stopped \ + --device=/dev/sgx_enclave \ + --device=/dev/sgx_provision \ --volume=/var/run/aesmd/aesm.socket:/var/run/aesmd/aesm.socket \ - -p 7047:7047 --rm -v "$(pwd):/work" -w /work gramineproject/gramine:latest \ - "bash -c \"mkdir -p /ephemeral && chmod u+x notary-server && gramine-sgx notary-server\"" -``` \ No newline at end of file + --publish=7047:7047 \ + --volume="$(pwd):/work" \ + --workdir=/work \ + gramineproject/gramine:latest \ + "bash -c \"chmod u+x notary-server && gramine-sgx notary-server\"" +``` + +Notes: +- `--device /dev/sgx_enclave --device /dev/sgx_provision` → Exposes SGX devices. +- `--volume=/var/run/aesmd/aesm.socket:/var/run/aesmd/aesm.socket` → Enables access to **Intel's AESM daemon** (required for remote attestation). +- `-p 7047:7047` → Exposes the notary server on port **7047**. + +## Attestation & Verification + +The Notary Server runs inside an **Intel SGX enclave**, which supports **remote attestation**. When connecting to it, clients should request an **SGX quote** to verify: + +- **MR_ENCLAVE** (ensures the correct enclave binary is running). +- **MR_SIGNER** (ensures the enclave was signed by the expected key). +- **Quote Freshness** (prevents replay attacks). + +To retrieve the SGX attestation quote, navigate to `:7047/info` \ No newline at end of file From 1fcbe96890c94614d3659e20433674c60640d0b2 Mon Sep 17 00:00:00 2001 From: Hendrik Eeckhaut Date: Fri, 28 Feb 2025 15:47:43 +0100 Subject: [PATCH 07/11] improvements --- .github/workflows/ci.yml | 1 - crates/notary/server/tee/notary-server-sgx.md | 7 +++++-- crates/notary/server/tee/notary-server.manifest.template | 2 +- 3 files changed, 6 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 3c0e29612b..0e9b53b1dd 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -248,7 +248,6 @@ jobs: echo "\`\`\`mr_enclave: ${mr_enclave}\`\`\`" | tee >>$GITHUB_STEP_SUMMARY echo "\`\`\`mr_signer: ${mr_signer}\`\`\`" | tee >>$GITHUB_STEP_SUMMARY - # gramine-sgx $GITHUB_WORKSPACE/tlsn/crates/notary/server/tee/notary-server - name: Upload notary-server and signatures uses: actions/upload-artifact@v4 with: diff --git a/crates/notary/server/tee/notary-server-sgx.md b/crates/notary/server/tee/notary-server-sgx.md index 815ed7bddd..6326026f91 100644 --- a/crates/notary/server/tee/notary-server-sgx.md +++ b/crates/notary/server/tee/notary-server-sgx.md @@ -46,7 +46,7 @@ docker run --detach \ --volume="$(pwd):/work" \ --workdir=/work \ gramineproject/gramine:latest \ - "bash -c \"chmod u+x notary-server && gramine-sgx notary-server\"" + "gramine-sgx notary-server" ``` Notes: @@ -62,4 +62,7 @@ The Notary Server runs inside an **Intel SGX enclave**, which supports **remote - **MR_SIGNER** (ensures the enclave was signed by the expected key). - **Quote Freshness** (prevents replay attacks). -To retrieve the SGX attestation quote, navigate to `:7047/info` \ No newline at end of file +To retrieve the SGX attestation quote, navigate to `:7047/info`: +``` +curl localhost:7047/info | jq +``` \ No newline at end of file diff --git a/crates/notary/server/tee/notary-server.manifest.template b/crates/notary/server/tee/notary-server.manifest.template index 40ab8a3545..a766eb89dc 100644 --- a/crates/notary/server/tee/notary-server.manifest.template +++ b/crates/notary/server/tee/notary-server.manifest.template @@ -42,4 +42,4 @@ sys.disallow_subprocesses = true #### tlsn rev sgx.isvprodid = 7 #### F -sgx.isvsvn = 46 +sgx.isvsvn = 1 From ae9f49f5bc5db8badf0c300ac6cd84356d55cb3b Mon Sep 17 00:00:00 2001 From: Hendrik Eeckhaut Date: Sun, 2 Mar 2025 23:09:26 +0100 Subject: [PATCH 08/11] ci: remove old tee github workflow --- .github/workflows/tee-ci.yml | 39 ------------------------------------ 1 file changed, 39 deletions(-) delete mode 100644 .github/workflows/tee-ci.yml diff --git a/.github/workflows/tee-ci.yml b/.github/workflows/tee-ci.yml deleted file mode 100644 index aae7bb51ef..0000000000 --- a/.github/workflows/tee-ci.yml +++ /dev/null @@ -1,39 +0,0 @@ -name: tee-build - -on: - push: - branches: [ "dev" ] - -concurrency: - group: ${{ github.head_ref || github.run_id }} - cancel-in-progress: true - -jobs: - build-measure-emulated: - environment: tee - runs-on: [self-hosted, linux] - container: - image: notaryserverbuilds.azurecr.io/prod/gramine - credentials: - username: notaryserverbuilds - password: ${{ secrets.AZURE_CR_BUILDS_PW }} - env: - GIT_COMMIT_HASH: ${{ github.event.pull_request.head.sha || github.sha }} - steps: - - name: get code - uses: actions/checkout@v4 - - name: sccache - if: github.event_name != 'release' - # && github.event_name != 'workflow_dispatch' - uses: mozilla-actions/sccache-action@v0.0.6 - - name: set rust env for scc - if: github.event_name != 'release' - # && github.event_name != 'workflow_dispatch' - run: | - echo "SCCACHE_GHA_ENABLED=true" >> $GITHUB_ENV - echo "RUSTC_WRAPPER=sccache" >> $GITHUB_ENV - - - name: get emulated measurement (call gramine.sh without the sgx arg) - working-directory: ${{ github.workspace }}/crates/notary/server/tee - run: | - chmod +x ../../../../.github/scripts/gramine.sh && ../../../../.github/scripts/gramine.sh From 2edcc28d1faeefce922e661988e58fad8b354172 Mon Sep 17 00:00:00 2001 From: Hendrik Eeckhaut Date: Sun, 2 Mar 2025 23:28:21 +0100 Subject: [PATCH 09/11] ci: attest build result for dev branch builds and releases --- .github/workflows/ci.yml | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 0e9b53b1dd..19d6c478cf 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -8,6 +8,11 @@ on: - "[v]?[0-9]+.[0-9]+.[0-9]+*" pull_request: +permissions: + id-token: write + contents: read + attestations: write + env: CARGO_TERM_COLOR: always CARGO_REGISTRIES_CRATES_IO_PROTOCOL: sparse @@ -249,6 +254,7 @@ jobs: echo "\`\`\`mr_signer: ${mr_signer}\`\`\`" | tee >>$GITHUB_STEP_SUMMARY - name: Upload notary-server and signatures + id: upload-notary-server-sgx uses: actions/upload-artifact@v4 with: name: notary-server-sgx.zip @@ -261,6 +267,14 @@ jobs: crates/notary/server/tee/config crates/notary/server/tee/notary-server-sgx.md if-no-files-found: error + + - name: Attest Build Provenance + if: startsWith(github.ref, 'refs/tags/') || github.ref == 'refs/heads/dev' + uses: actions/attest-build-provenance@v2 + with: + subject-name: notary-server-sgx.zip + subject-digest: sha256:${{ steps.upload-notary-server-sgx.outputs.artifact-digest }} + - uses: geekyeggo/delete-artifact@v5 # Delete notary-server from the build job, It is part of the zipfile with the signature with: name: notary-server \ No newline at end of file From 22210f61963370e945c7f3921a4c52283fc8aefe Mon Sep 17 00:00:00 2001 From: Hendrik Eeckhaut Date: Mon, 3 Mar 2025 12:57:21 +0100 Subject: [PATCH 10/11] Update .github/workflows/ci.yml Co-authored-by: yuroitaki <25913766+yuroitaki@users.noreply.github.com> --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 19d6c478cf..29cbf2ebd8 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -185,7 +185,7 @@ jobs: - name: Build Rust Binary run: | - cargo build --bin notary-server --release --features tee_quote + cargo build --bin notary-server --release --features tee_quote cp --verbose target/release/notary-server $GITHUB_WORKSPACE - name: Upload Binary for use in the Gramine Job From a9bb4bd5a1a31dc4d43f91469e6ccbb279d36e10 Mon Sep 17 00:00:00 2001 From: Hendrik Eeckhaut Date: Mon, 3 Mar 2025 13:10:47 +0100 Subject: [PATCH 11/11] review feedback --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 29cbf2ebd8..9656edfbd5 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -224,7 +224,7 @@ jobs: apt update apt install -y jq - - name: Run notary-server in Gramine + - name: Use Gramine to calculate measurements run: | cd crates/notary/server/tee