fix: fix enclave key volume binding from host

PierreJeanjacquot · PierreJeanjacquot · commit 2736bfca822c · 2025-08-20T15:22:47.000+02:00
diff --git a/.github/workflows/reusable-api-deploy.yml b/.github/workflows/reusable-api-deploy.yml
@@ -85,7 +85,7 @@ jobs:
 
       - name: Prepare .env for Compose
         run: |
-          printf "IMAGE_NAME=%s\nIMAGE_TAG=%s\nLOG_LEVEL=%s\n" "${{ env.IMAGE_NAME }}" "${{ inputs.tag }}" "${{ inputs.logLevel }}" > .env
+          printf "IMAGE_NAME=%s\nIMAGE_TAG=%s\nENCLAVE_KEY_PATH=/opt/iapp-api/sig/enclave-key.pem\nLOG_LEVEL=%s\n" "${{ env.IMAGE_NAME }}" "${{ inputs.tag }}" "${{ inputs.logLevel }}" > .env
         shell: bash
 
       - name: Copy files to remote server
diff --git a/api/docker-compose.yml b/api/docker-compose.yml
@@ -9,10 +9,10 @@ services:
       - /var/run/docker.sock:/var/run/docker.sock
       # .env.app already on the server
       - ./.env.app:/app/.env:ro
-      # enclave key already on the server in sig/enclave-key.pem
-      - ./sig/:/app/sig/:ro
     environment:
       - LOG_LEVEL=${LOG_LEVEL:-info}
+      # enclave key already on the server in sig/enclave-key.pem
+      - ENCLAVE_KEY_PATH=${ENCLAVE_KEY_PATH}
     healthcheck:
       test: ['CMD', 'curl', '-f', 'http://localhost:3000/health']
       interval: 30s
diff --git a/api/src/singleFunction/sconifyImage.ts b/api/src/singleFunction/sconifyImage.ts
@@ -1,5 +1,5 @@
 import { join } from 'node:path';
-import { access, constants } from 'node:fs/promises';
+
 import Docker from 'dockerode';
 import { SCONIFY_IMAGE_NAME } from '../constants/constants.js';
 import { logger } from '../utils/logger.js';
@@ -10,7 +10,8 @@ import { removeContainer } from './removeContainer.js';
 
 const docker = new Docker();
 
-const ENCLAVE_KEY_PATH = join(process.cwd(), 'sig/enclave-key.pem');
+const ENCLAVE_KEY_PATH =
+  process.env.ENCLAVE_KEY_PATH || join(process.cwd(), 'sig/enclave-key.pem');
 
 /**
  * Sconifies an iapp docker image
@@ -47,19 +48,6 @@ export async function sconifyImage({
   logger.info({ sconifierImage }, 'Pulling sconifier image...');
   await pullSconeImage(sconifierImage);
 
-  if (prod) {
-    // check signing key can be read on host
-    try {
-      await access(ENCLAVE_KEY_PATH, constants.R_OK);
-    } catch (error) {
-      logger.error(
-        { error, path: ENCLAVE_KEY_PATH },
-        'Cannot read enclave key from host'
-      );
-      throw new Error('Cannot read enclave key from host');
-    }
-  }
-
   const toImage = `${fromImage}-tmp-sconified-${Date.now()}`; // create an unique temporary identifier for the target image
   logger.info({ fromImage, toImage }, 'Sconifying...');
 
@@ -87,7 +75,7 @@ export async function sconifyImage({
       : sconifyBaseCmd,
     HostConfig: {
       Binds: prod
-        ? baseBinds.concat(`${ENCLAVE_KEY_PATH}:/sig/enclave-key.pem:ro`) // mount signing key
+        ? baseBinds.concat(`${ENCLAVE_KEY_PATH}:/sig/enclave-key.pem:ro`) // mount signing key from host
         : baseBinds,
     },
   });
