Replies: 1 comment 2 replies
-
@stealthybox this feels very similar to the discussions we had last week, this might be up your alley. There might be an obvious answer but my question is how developers are meant to store and renew their certificates while working. Is there a good process for this? As we are using two git implementations it might be good to look into if libgit2 supports x509 signatures also. |
Beta Was this translation helpful? Give feedback.
2 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Hello,
Currently Flux supports verification of PGP signatures on commits to ensure they come from authorized parties. Git also supports signatures from keys with x509 certificates which has many advantages over PGP for organizations. One example is to have the certificates have short lifetimes (often 1 day or less) so they expire regularly; then, when an individual leaves an organization, their ability to be a trusted committer is automatically revoked once their certificate expires. Similarly, this allows individuals to become trusted committers automatically when they join a team since their certificate will be issued by a certificate authority that Flux is already configured to trust without needing to update the configuration.
Proposal
SignatureType
field to theGitRepositoryVerification
struct with options ofpgp
orx509
.pgp
it performs the same verifications it does now.x509
, the controller reads two keys from the secret:roots
andintermediates
. These keys are arrays of strings containing the respective PEM encoded x509 root and intermediate certificate authority certificates. These are then passed to the x509 verification function ingo-git
to validate the commit signatures.GitRepository
CRD tov1beta2
since there are new fields, but the default behavior is unchanged.Dependencies / Blockers
go-git
currently only supports PGP signatures. I'm working on a PR which will add support for S/MIME signature verification to the library to support signatures made with https://github.com/github/smimesign.Beta Was this translation helpful? Give feedback.
All reactions