verified-builds: add attestations to pushimage
Attestations provide the assertions about an artifact
that the signer will eventually use to make yes/no
signing decisions, as part of a larger effort to introduce
Verified Builds to Chrome and Chrome OS.
The attestations archive contains one JSON file per
artifact of interest (image or update payload).
It will eventually contain one JSON file per item signed
by the signer. There is one archive generated per build.
The location of the archive is determined in the recipe
by parsing the return value of the build API. Said API response
is used by the cros_provenance recipe module to generate
the archive.
Provenance generation and upload is introduced in crrev/c/3362671
BUG=chromium:1274931
TEST=ran tests
Change-Id: I96e37395e493060cea4f6ae7da9e7daef9e445a0
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/chromite/+/3386853
Reviewed-by: Alex Klein <saklein@chromium.org>
Reviewed-by: Mike Frysinger <vapier@chromium.org>
Commit-Queue: Yulan Lin <yulanlin@google.com>
Tested-by: Yulan Lin <yulanlin@google.com>
diff --git a/scripts/pushimage.py b/scripts/pushimage.py
index bd16e5c..d507e93 100644
--- a/scripts/pushimage.py
+++ b/scripts/pushimage.py
@@ -417,6 +417,7 @@
(hwqual_tarball, None, None),
('stateful.tgz', None, None),
('dlc', None, None),
+ (constants.ARTIFACT_PROVENANCE_MANIFESTS, None, None),
(constants.QUICK_PROVISION_PAYLOAD_KERNEL, None, None),
(constants.QUICK_PROVISION_PAYLOAD_ROOTFS, None, None),
(constants.QUICK_PROVISION_PAYLOAD_MINIOS, None, None),