Add support for protected signing key

Signed-off-by: jkr0103 <[email protected]>
gramineproject · Sep 29, 2023 · aa24df6 · aa24df6
1 parent 5099b64
commit aa24df6
Show file tree

Hide file tree

Showing 7 changed files with 6 additions and 32 deletions.
diff --git a/gsc.py b/gsc.py
@@ -381,12 +381,9 @@ def gsc_sign_image(args):
     with open(tmp_build_path / 'Dockerfile.sign', 'w') as dockerfile:
         dockerfile.write(sign_template.render(image=unsigned_image_name))
 
-    # copy user-provided signing key and signing Bash script to our tmp build dir (to copy them
-    # later inside Docker image)
+    # copy user-provided signing key to our tmp build dir (to copy it later inside Docker image)
     tmp_build_key_path = tmp_build_path / 'gsc-signer-key.pem'
-    tmp_build_sign_path = tmp_build_path / 'sign.sh'
     shutil.copyfile(os.path.abspath(args.key), tmp_build_key_path)
-    shutil.copy(os.path.abspath('sign.sh'), tmp_build_sign_path)
 
     try:
         # `forcerm` parameter forces removal of intermediate Docker images even after unsuccessful

diff --git a/sign.sh b/sign.sh
diff --git a/templates/Dockerfile.common.sign.template b/templates/Dockerfile.common.sign.template
@@ -3,13 +3,11 @@ FROM {{image}} as unsigned_image
 COPY gsc-signer-key.pem /gramine/app_files/gsc-signer-key.pem
 
 ARG passphrase
-COPY sign.sh /gramine/app_files/sign.sh
-
-RUN {% block path %}{% endblock %} /gramine/app_files/sign.sh \
-      /gramine/app_files/gsc-signer-key.pem \
-      /gramine/app_files/entrypoint.manifest \
-      /gramine/app_files/entrypoint.manifest.sgx \
-      $passphrase
+RUN {% block path %}{% endblock %} gramine-sgx-sign \
+      --key /gramine/app_files/gsc-signer-key.pem \
+      --manifest /gramine/app_files/entrypoint.manifest \
+      --output /gramine/app_files/entrypoint.manifest.sgx \
+      --passphrase $passphrase
 
 # This trick removes all temporary files from the previous commands (including gsc-signer-key.pem
 # and passphrase)

diff --git a/templates/centos/Dockerfile.build.template b/templates/centos/Dockerfile.build.template
@@ -12,7 +12,6 @@ RUN dnf update -y \
     &&  dnf install -y \
         binutils \
         epel-release \
-        expect \
         openssl \
         protobuf-c-devel \
         python3 \

diff --git a/templates/centos/Dockerfile.sign.template b/templates/centos/Dockerfile.sign.template
@@ -6,7 +6,6 @@ RUN \
           tomli tomli-w \
        && dnf remove -y binutils \
           epel-release \
-          expect \
           openssl \
           python3-protobuf \
           python3-pyelftools \

diff --git a/templates/debian/Dockerfile.build.template b/templates/debian/Dockerfile.build.template
@@ -8,7 +8,6 @@
 RUN apt-get update \
     && env DEBIAN_FRONTEND=noninteractive apt-get install -y \
         binutils \
-        expect \
         libprotobuf-c-dev \
         locales \
         openssl \

diff --git a/templates/debian/Dockerfile.sign.template b/templates/debian/Dockerfile.sign.template
@@ -4,7 +4,6 @@
 {% set distro = Distro.split(':') %}
 RUN \
         apt-get remove -y binutils \
-        expect \
         openssl \
         python3-protobuf \
         python3-cryptography \