Creating a signed contract
This step must be performed by the Data Owner.
Prerequisites
- You have the
attestation_public_key.pubfrom the Auditor, if you are creating the contract with attestation encryption.
Procedure
- Copy
encrypted-workload.yaml,encrypted-env.yaml,envWorkloadSignature.txtandbootsection to theuser-data.yamlfile. The finaluser-data.yamlmust look like the examples below:Bare Metal deployment example:
workload: hyper-protect-basic.js7TGt77EQ5bgTIKk5C0pViFTRHqWtn.............. env: hyper-protect-basic.VWg/5/SWE+9jLfhr8q4i......... envWorkloadSignature: Icbm1D/CVpLNYkWRC9e ..... boot: | sehdr: SUJNU2VjRXgAAAEAAAAPoH90OdZW...........Peerpod deployment example:
workload: hyper-protect-basic.js7TGt77EQ5bgTIKk5C0pViFTRHqWtn.............. env: hyper-protect-basic.VWg/5/SWE+9jLfhr8q4i......... envWorkloadSignature: Icbm1D/CVpLNYkWRC9e ..... - If you are creating the contract with the attestation encryption, you must perform the Additional steps for attestation encryption contract.
- Store the user-data content in a variable by running the following
command:
export encrypted_contract=$(cat "user-data.yaml") - Create a
initdata.tomlfile using theencrypted_contractgenerated in the earlier step:cat << EOF > initdata.toml algorithm = "sha384" version = "0.1.0" [data] "contract.yaml" = '''${encrypted_contract}''' EOF - Convert the
initdata.tomlfile to a Base64-encoded string in gzip format in a text file, and store the converted content in a variable by running the following command:export initdata_annotation=$(cat "initdata.toml" | gzip | base64 -w0) - Deploy the sample workload and verify the contract. For more information, see Verifying the contract.