From 7e6e6119d3f853d0201059b610178d4439bea31c Mon Sep 17 00:00:00 2001 From: Jordan Carter Date: Thu, 27 Jun 2024 15:16:46 +1200 Subject: [PATCH 1/4] Update to go-pipeline v0.10.0 and add --debug-signing flag for logging step payloads before signing --- agent/agent_configuration.go | 1 + .../job_verification_integration_test.go | 2 +- agent/job_runner.go | 4 ++++ agent/run_job.go | 2 +- agent/verify_job.go | 8 ++++++-- clicommand/agent_start.go | 7 +++++++ clicommand/pipeline_upload.go | 12 +++++++++--- clicommand/tool_sign.go | 11 ++++++----- go.mod | 8 ++++---- go.sum | 16 ++++++++-------- 10 files changed, 47 insertions(+), 24 deletions(-) diff --git a/agent/agent_configuration.go b/agent/agent_configuration.go index 11a7f41e60..be3ca3fd35 100644 --- a/agent/agent_configuration.go +++ b/agent/agent_configuration.go @@ -39,6 +39,7 @@ type AgentConfiguration struct { SigningJWKSFile string // Where to find the key to sign pipeline uploads with (passed through to jobs, they might be uploading pipelines) SigningJWKSKeyID string // The key ID to sign pipeline uploads with + DebugSigning bool // Whether to print step payloads when signing them VerificationJWKS jwk.Set // The set of keys to verify jobs with VerificationFailureBehaviour string // What to do if job verification fails (one of `block` or `warn`) diff --git a/agent/integration/job_verification_integration_test.go b/agent/integration/job_verification_integration_test.go index 9220dab2ec..ca821c91fb 100644 --- a/agent/integration/job_verification_integration_test.go +++ b/agent/integration/job_verification_integration_test.go @@ -670,7 +670,7 @@ func signStep( return stepWithInvariants.CommandStep } - signature, err := signature.Sign(key, env, &stepWithInvariants) + signature, err := signature.Sign(key, &stepWithInvariants, signature.WithEnv(env)) if err != nil { t.Fatalf("signing step: %v", err) } diff --git a/agent/job_runner.go b/agent/job_runner.go index b69ddb4f4e..158757f675 100644 --- a/agent/job_runner.go +++ b/agent/job_runner.go @@ -523,6 +523,10 @@ func (r *JobRunner) createEnvironment(ctx context.Context) ([]string, error) { env["BUILDKITE_AGENT_JWKS_KEY_ID"] = r.conf.AgentConfiguration.SigningJWKSKeyID } + if r.conf.AgentConfiguration.DebugSigning { + env["BUILDKITE_AGENT_DEBUG_SIGNING"] = "true" + } + enablePluginValidation := r.conf.AgentConfiguration.PluginValidation // Allow BUILDKITE_PLUGIN_VALIDATION to be enabled from env for easier // per-pipeline testing diff --git a/agent/run_job.go b/agent/run_job.go index bac637f1e2..e2a3288f8b 100644 --- a/agent/run_job.go +++ b/agent/run_job.go @@ -101,7 +101,7 @@ func (r *JobRunner) Run(ctx context.Context) error { if r.conf.JWKS != nil { ise := &invalidSignatureError{} - switch err := r.verifyJob(r.conf.JWKS); { + switch err := r.verifyJob(ctx, r.conf.JWKS); { case errors.Is(err, ErrNoSignature) || errors.As(err, &ise): r.verificationFailureLogs(r.VerificationFailureBehavior, err) if r.VerificationFailureBehavior == VerificationBehaviourBlock { diff --git a/agent/verify_job.go b/agent/verify_job.go index 308668b296..4c8c57cb46 100644 --- a/agent/verify_job.go +++ b/agent/verify_job.go @@ -2,6 +2,7 @@ package agent import ( "bytes" + "context" "encoding/json" "errors" "fmt" @@ -34,7 +35,7 @@ func (e *invalidSignatureError) Unwrap() error { return e.underlying } -func (r *JobRunner) verifyJob(keySet jwk.Set) error { +func (r *JobRunner) verifyJob(ctx context.Context, keySet jwk.Set) error { step := r.conf.Job.Step if step.Signature == nil { @@ -48,7 +49,10 @@ func (r *JobRunner) verifyJob(keySet jwk.Set) error { } // Verify the signature - if err := signature.Verify(step.Signature, r.conf.JWKS, r.conf.Job.Env, stepWithInvariants); err != nil { + if err := signature.Verify(ctx, step.Signature, r.conf.JWKS, stepWithInvariants, + signature.WithEnv(r.conf.Job.Env), + signature.WithLogger(r.agentLogger), + signature.WithDebugSigning(r.conf.AgentConfiguration.DebugSigning)); err != nil { r.agentLogger.Debug("verifyJob: step.Signature.Verify(Job.Env, stepWithInvariants, JWKS) = %v", err) return newInvalidSignatureError(ErrVerificationFailed) } diff --git a/clicommand/agent_start.go b/clicommand/agent_start.go index cae0274150..6434c80f13 100644 --- a/clicommand/agent_start.go +++ b/clicommand/agent_start.go @@ -84,6 +84,7 @@ type AgentStartConfig struct { SigningJWKSFile string `cli:"signing-jwks-file" normalize:"filepath"` SigningJWKSKeyID string `cli:"signing-jwks-key-id"` + DebugSigning bool `cli:"debug-signing"` VerificationJWKSFile string `cli:"verification-jwks-file" normalize:"filepath"` VerificationFailureBehavior string `cli:"verification-failure-behavior"` @@ -655,6 +656,11 @@ var AgentStartCommand = cli.Command{ Usage: "The JWKS key ID to use when signing the pipeline. If omitted, and the signing JWKS contains only one key, that key will be used.", EnvVar: "BUILDKITE_AGENT_SIGNING_JWKS_KEY_ID", }, + cli.BoolFlag{ + Name: "debug-signing", + Usage: "Enable debug logging for pipeline signing. This can potentially leak secrets to the logs as it prints each step in full before signing. Requires debug logging to be enabled", + EnvVar: "BUILDKITE_AGENT_DEBUG_SIGNING", + }, cli.StringFlag{ Name: "verification-failure-behavior", Value: agent.VerificationBehaviourBlock, @@ -961,6 +967,7 @@ var AgentStartCommand = cli.Command{ SigningJWKSFile: cfg.SigningJWKSFile, SigningJWKSKeyID: cfg.SigningJWKSKeyID, + DebugSigning: cfg.DebugSigning, VerificationJWKS: verificationJWKS, diff --git a/clicommand/pipeline_upload.go b/clicommand/pipeline_upload.go index f35de48677..3f0af4d408 100644 --- a/clicommand/pipeline_upload.go +++ b/clicommand/pipeline_upload.go @@ -74,8 +74,9 @@ type PipelineUploadConfig struct { RejectSecrets bool `cli:"reject-secrets"` // Used for signing - JWKSFile string `cli:"jwks-file"` - JWKSKeyID string `cli:"jwks-key-id"` + JWKSFile string `cli:"jwks-file"` + JWKSKeyID string `cli:"jwks-key-id"` + DebugSigning bool `cli:"debug-signing"` // Global flags Debug bool `cli:"debug"` @@ -141,6 +142,11 @@ var PipelineUploadCommand = cli.Command{ Usage: "The JWKS key ID to use when signing the pipeline. Required when using a JWKS", EnvVar: "BUILDKITE_AGENT_JWKS_KEY_ID", }, + cli.BoolFlag{ + Name: "debug-signing", + Usage: "Enable debug logging for pipeline signing. This can potentially leak secrets to the logs as it prints each step in full before signing. Requires debug logging to be enabled", + EnvVar: "BUILDKITE_AGENT_DEBUG_SIGNING", + }, // API Flags AgentAccessTokenFlag, @@ -282,7 +288,7 @@ var PipelineUploadCommand = cli.Command{ return fmt.Errorf("couldn't read the signing key file: %w", err) } - if err := signature.SignPipeline(result, key, os.Getenv("BUILDKITE_REPO")); err != nil { + if err := signature.SignSteps(ctx, result.Steps, key, os.Getenv("BUILDKITE_REPO"), signature.WithEnv(result.Env.ToMap()), signature.WithLogger(l), signature.WithDebugSigning(cfg.DebugSigning)); err != nil { return fmt.Errorf("couldn't sign pipeline: %w", err) } } diff --git a/clicommand/tool_sign.go b/clicommand/tool_sign.go index 65c5755dee..fc33ef9a71 100644 --- a/clicommand/tool_sign.go +++ b/clicommand/tool_sign.go @@ -31,8 +31,9 @@ type ToolSignConfig struct { NoConfirm bool `cli:"no-confirm"` // Used for signing - JWKSFile string `cli:"jwks-file"` - JWKSKeyID string `cli:"jwks-key-id"` + JWKSFile string `cli:"jwks-file"` + JWKSKeyID string `cli:"jwks-key-id"` + DebugSigning bool `cli:"debug-signing"` // Needed for to use GraphQL API OrganizationSlug string `cli:"organization-slug"` @@ -196,7 +197,7 @@ func validateNoInterpolations(pipelineString string) error { return nil } -func signOffline(_ context.Context, c *cli.Context, l logger.Logger, key jwk.Key, cfg *ToolSignConfig) error { +func signOffline(ctx context.Context, c *cli.Context, l logger.Logger, key jwk.Key, cfg *ToolSignConfig) error { if cfg.Repository == "" { return ErrUseGraphQL } @@ -256,7 +257,7 @@ func signOffline(_ context.Context, c *cli.Context, l logger.Logger, key jwk.Key l.Debug("Pipeline parsed successfully:\n%v", parsedPipeline) } - if err := signature.SignPipeline(parsedPipeline, key, cfg.Repository); err != nil { + if err := signature.SignSteps(ctx, parsedPipeline.Steps, key, cfg.Repository, signature.WithEnv(parsedPipeline.Env.ToMap()), signature.WithLogger(l), signature.WithDebugSigning(cfg.DebugSigning)); err != nil { return fmt.Errorf("couldn't sign pipeline: %w", err) } @@ -311,7 +312,7 @@ func signWithGraphQL(ctx context.Context, c *cli.Context, l logger.Logger, key j debugL.Debug("Pipeline parsed successfully: %v", parsedPipeline) } - if err := signature.SignPipeline(parsedPipeline, key, resp.Pipeline.Repository.Url); err != nil { + if err := signature.SignSteps(ctx, parsedPipeline.Steps, key, resp.Pipeline.Repository.Url, signature.WithEnv(parsedPipeline.Env.ToMap()), signature.WithLogger(debugL), signature.WithDebugSigning(cfg.DebugSigning)); err != nil { return fmt.Errorf("couldn't sign pipeline: %w", err) } diff --git a/go.mod b/go.mod index d6a34d04c1..d47016e6cc 100644 --- a/go.mod +++ b/go.mod @@ -14,7 +14,7 @@ require ( github.com/aws/aws-sdk-go v1.54.0 github.com/brunoscheufler/aws-ecs-metadata-go v0.0.0-20220812150832-b6b31c6eeeaf github.com/buildkite/bintest/v3 v3.2.0 - github.com/buildkite/go-pipeline v0.9.0 + github.com/buildkite/go-pipeline v0.10.0 github.com/buildkite/interpolate v0.1.2 github.com/buildkite/roko v1.2.0 github.com/buildkite/shellwords v0.0.0-20180315084142-c3f497d1e000 @@ -28,7 +28,7 @@ require ( github.com/google/go-cmp v0.6.0 github.com/google/go-querystring v1.1.0 github.com/gowebpki/jcs v1.0.1 - github.com/lestrrat-go/jwx/v2 v2.0.21 + github.com/lestrrat-go/jwx/v2 v2.1.0 github.com/mattn/go-zglob v0.0.4 github.com/mitchellh/go-homedir v1.1.0 github.com/oleiade/reflections v1.0.1 @@ -79,12 +79,12 @@ require ( github.com/cespare/xxhash/v2 v2.2.0 // indirect github.com/cpuguy83/go-md2man/v2 v2.0.4 // indirect github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect - github.com/decred/dcrd/dcrec/secp256k1/v4 v4.2.0 // indirect + github.com/decred/dcrd/dcrec/secp256k1/v4 v4.3.0 // indirect github.com/ebitengine/purego v0.6.0-alpha.5 // indirect github.com/felixge/httpsnoop v1.0.4 // indirect github.com/go-logr/logr v1.4.1 // indirect github.com/go-logr/stdr v1.2.2 // indirect - github.com/goccy/go-json v0.10.2 // indirect + github.com/goccy/go-json v0.10.3 // indirect github.com/golang-jwt/jwt/v5 v5.2.1 // indirect github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect github.com/golang/protobuf v1.5.4 // indirect diff --git a/go.sum b/go.sum index b96cb13584..8d1bd5306c 100644 --- a/go.sum +++ b/go.sum @@ -62,8 +62,8 @@ github.com/brunoscheufler/aws-ecs-metadata-go v0.0.0-20220812150832-b6b31c6eeeaf github.com/brunoscheufler/aws-ecs-metadata-go v0.0.0-20220812150832-b6b31c6eeeaf/go.mod h1:CeKhh8xSs3WZAc50xABMxu+FlfAAd5PNumo7NfOv7EE= github.com/buildkite/bintest/v3 v3.2.0 h1:1GqUILGGni5UViGPH/PbSq0MxB9gzY3J/P7vNVqCkX4= github.com/buildkite/bintest/v3 v3.2.0/go.mod h1:+AdQZcVlzCiW2UyZWeG63xeH5z011XUBW6kWcRdaMtU= -github.com/buildkite/go-pipeline v0.9.0 h1:2a2bibJ9dCCyyNReH73jkQVUYyUnhYAxISyf3+mrQNs= -github.com/buildkite/go-pipeline v0.9.0/go.mod h1:4aqMzJ3iagc0wcI5h8NQpON9xfyq27QGDi4xfnKiCUs= +github.com/buildkite/go-pipeline v0.10.0 h1:EDffu+LfMY2k5u+iEdo6Jn3obGKsrL5wicc1O/yFeRs= +github.com/buildkite/go-pipeline v0.10.0/go.mod h1:eMH1kiav5VeiTiu0Mk2/M7nZhKyFeL4iGj7Y7rj4f3w= github.com/buildkite/interpolate v0.1.2 h1:mVbMCphpu2MHUr1qLdjq9xc3NjNWYg/w/CbrGS5ckzg= github.com/buildkite/interpolate v0.1.2/go.mod h1:UNVe6A+UfiBNKbhAySrBbZFZFxQ+DXr9nWen6WVt/A8= github.com/buildkite/roko v1.2.0 h1:hbNURz//dQqNl6Eo9awjQOVOZwSDJ8VEbBDxSfT9rGQ= @@ -86,8 +86,8 @@ github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSs github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM= github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= -github.com/decred/dcrd/dcrec/secp256k1/v4 v4.2.0 h1:8UrgZ3GkP4i/CLijOJx79Yu+etlyjdBU4sfcs2WYQMs= -github.com/decred/dcrd/dcrec/secp256k1/v4 v4.2.0/go.mod h1:v57UDF4pDQJcEfFUCRop3lJL149eHGSe9Jvczhzjo/0= +github.com/decred/dcrd/dcrec/secp256k1/v4 v4.3.0 h1:rpfIENRNNilwHwZeG5+P150SMrnNEcHYvcCuK6dPZSg= +github.com/decred/dcrd/dcrec/secp256k1/v4 v4.3.0/go.mod h1:v57UDF4pDQJcEfFUCRop3lJL149eHGSe9Jvczhzjo/0= github.com/denisbrodbeck/machineid v1.0.1 h1:geKr9qtkB876mXguW2X6TU4ZynleN6ezuMSRhl4D7AQ= github.com/denisbrodbeck/machineid v1.0.1/go.mod h1:dJUwb7PTidGDeYyUBmXZ2GphQBbjJCrnectwCyxcUSI= github.com/dgryski/go-farm v0.0.0-20190423205320-6a90982ecee2 h1:tdlZCpZ/P9DhczCTSixgIKmwPv6+wP5DGjqLYw5SUiA= @@ -118,8 +118,8 @@ github.com/go-logr/logr v1.4.1 h1:pKouT5E8xu9zeFC39JXRDukb6JFQPXM5p5I91188VAQ= github.com/go-logr/logr v1.4.1/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY= github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag= github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE= -github.com/goccy/go-json v0.10.2 h1:CrxCmQqYDkv1z7lO7Wbh2HN93uovUHgrECaO5ZrCXAU= -github.com/goccy/go-json v0.10.2/go.mod h1:6MelG93GURQebXPDq3khkgXZkazVtN9CRI+MGFi0w8I= +github.com/goccy/go-json v0.10.3 h1:KZ5WoDbxAIgm2HNbYckL0se1fHD6rz5j4ywS6ebzDqA= +github.com/goccy/go-json v0.10.3/go.mod h1:oq7eo15ShAhp70Anwd5lgX2pLfOS3QCiwU/PULtXL6M= github.com/gofrs/flock v0.8.1 h1:+gYjHKf32LDeiEEFhQaotPbLuUXjY5ZqxKgXy7n59aw= github.com/gofrs/flock v0.8.1/go.mod h1:F1TvTiK9OcQqauNUHlbJvyl9Qa1QvF/gOUDKA14jxHU= github.com/golang-jwt/jwt/v5 v5.2.1 h1:OuVbFODueb089Lh128TAcimifWaLhJwVflnrgM17wHk= @@ -196,8 +196,8 @@ github.com/lestrrat-go/httprc v1.0.5 h1:bsTfiH8xaKOJPrg1R+E3iE/AWZr/x0Phj9PBTG/O github.com/lestrrat-go/httprc v1.0.5/go.mod h1:mwwz3JMTPBjHUkkDv/IGJ39aALInZLrhBp0X7KGUZlo= github.com/lestrrat-go/iter v1.0.2 h1:gMXo1q4c2pHmC3dn8LzRhJfP1ceCbgSiT9lUydIzltI= github.com/lestrrat-go/iter v1.0.2/go.mod h1:Momfcq3AnRlRjI5b5O8/G5/BvpzrhoFTZcn06fEOPt4= -github.com/lestrrat-go/jwx/v2 v2.0.21 h1:jAPKupy4uHgrHFEdjVjNkUgoBKtVDgrQPB/h55FHrR0= -github.com/lestrrat-go/jwx/v2 v2.0.21/go.mod h1:09mLW8zto6bWL9GbwnqAli+ArLf+5M33QLQPDggkUWM= +github.com/lestrrat-go/jwx/v2 v2.1.0 h1:0zs7Ya6+39qoit7gwAf+cYm1zzgS3fceIdo7RmQ5lkw= +github.com/lestrrat-go/jwx/v2 v2.1.0/go.mod h1:Xpw9QIaUGiIUD1Wx0NcY1sIHwFf8lDuZn/cmxtXYRys= github.com/lestrrat-go/option v1.0.1 h1:oAzP2fvZGQKWkvHa1/SAcFolBEca1oN+mQ7eooNBEYU= github.com/lestrrat-go/option v1.0.1/go.mod h1:5ZHFbivi4xwXxhxY9XHDe2FHo6/Z7WWmtT7T5nBBp3I= github.com/mattn/go-zglob v0.0.4 h1:LQi2iOm0/fGgu80AioIJ/1j9w9Oh+9DZ39J4VAGzHQM= From 9a8bb091e6d0d01c4144200886761dea390112c3 Mon Sep 17 00:00:00 2001 From: Jordan Carter Date: Thu, 27 Jun 2024 16:17:29 +1200 Subject: [PATCH 2/4] Add debug-signing flag to tool-sign --- clicommand/tool_sign.go | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/clicommand/tool_sign.go b/clicommand/tool_sign.go index fc33ef9a71..8ac4e06328 100644 --- a/clicommand/tool_sign.go +++ b/clicommand/tool_sign.go @@ -126,6 +126,11 @@ Signing a pipeline from a file: Usage: "The JWKS key ID to use when signing the pipeline. If none is provided and the JWKS file contains only one key, that key will be used.", EnvVar: "BUILDKITE_AGENT_JWKS_KEY_ID", }, + cli.BoolFlag{ + Name: "debug-signing", + Usage: "Enable debug logging for pipeline signing. This can potentially leak secrets to the logs as it prints each step in full before signing. Requires debug logging to be enabled", + EnvVar: "BUILDKITE_AGENT_DEBUG_SIGNING", + }, // These are required for GraphQL cli.StringFlag{ From b5a93b5e021cd1ca0ab388fb4858b4dc2685c35a Mon Sep 17 00:00:00 2001 From: Jordan Carter Date: Thu, 27 Jun 2024 16:22:20 +1200 Subject: [PATCH 3/4] Split args over multiple lines --- agent/verify_job.go | 9 +++++++-- clicommand/pipeline_upload.go | 11 ++++++++++- clicommand/tool_sign.go | 11 ++++++++++- 3 files changed, 27 insertions(+), 4 deletions(-) diff --git a/agent/verify_job.go b/agent/verify_job.go index 4c8c57cb46..ab76e39396 100644 --- a/agent/verify_job.go +++ b/agent/verify_job.go @@ -49,10 +49,15 @@ func (r *JobRunner) verifyJob(ctx context.Context, keySet jwk.Set) error { } // Verify the signature - if err := signature.Verify(ctx, step.Signature, r.conf.JWKS, stepWithInvariants, + err := signature.Verify( + ctx, + step.Signature, + r.conf.JWKS, stepWithInvariants, signature.WithEnv(r.conf.Job.Env), signature.WithLogger(r.agentLogger), - signature.WithDebugSigning(r.conf.AgentConfiguration.DebugSigning)); err != nil { + signature.WithDebugSigning(r.conf.AgentConfiguration.DebugSigning), + ) + if err != nil { r.agentLogger.Debug("verifyJob: step.Signature.Verify(Job.Env, stepWithInvariants, JWKS) = %v", err) return newInvalidSignatureError(ErrVerificationFailed) } diff --git a/clicommand/pipeline_upload.go b/clicommand/pipeline_upload.go index 3f0af4d408..1afe18e4ca 100644 --- a/clicommand/pipeline_upload.go +++ b/clicommand/pipeline_upload.go @@ -288,7 +288,16 @@ var PipelineUploadCommand = cli.Command{ return fmt.Errorf("couldn't read the signing key file: %w", err) } - if err := signature.SignSteps(ctx, result.Steps, key, os.Getenv("BUILDKITE_REPO"), signature.WithEnv(result.Env.ToMap()), signature.WithLogger(l), signature.WithDebugSigning(cfg.DebugSigning)); err != nil { + err := signature.SignSteps( + ctx, + result.Steps, + key, + os.Getenv("BUILDKITE_REPO"), + signature.WithEnv(result.Env.ToMap()), + signature.WithLogger(l), + signature.WithDebugSigning(cfg.DebugSigning), + ) + if err != nil { return fmt.Errorf("couldn't sign pipeline: %w", err) } } diff --git a/clicommand/tool_sign.go b/clicommand/tool_sign.go index 8ac4e06328..166b208812 100644 --- a/clicommand/tool_sign.go +++ b/clicommand/tool_sign.go @@ -262,7 +262,16 @@ func signOffline(ctx context.Context, c *cli.Context, l logger.Logger, key jwk.K l.Debug("Pipeline parsed successfully:\n%v", parsedPipeline) } - if err := signature.SignSteps(ctx, parsedPipeline.Steps, key, cfg.Repository, signature.WithEnv(parsedPipeline.Env.ToMap()), signature.WithLogger(l), signature.WithDebugSigning(cfg.DebugSigning)); err != nil { + err := signature.SignSteps( + ctx, + parsedPipeline.Steps, + key, + cfg.Repository, + signature.WithEnv(parsedPipeline.Env.ToMap()), + signature.WithLogger(l), + signature.WithDebugSigning(cfg.DebugSigning), + ) + if err != nil { return fmt.Errorf("couldn't sign pipeline: %w", err) } From f1b8d85dabc766699c099d3888fa9c07e7172d03 Mon Sep 17 00:00:00 2001 From: Jordan Carter Date: Thu, 27 Jun 2024 17:16:39 +1200 Subject: [PATCH 4/4] Update tests --- agent/integration/job_verification_integration_test.go | 5 +++-- clicommand/pipeline_upload.go | 2 +- clicommand/tool_sign.go | 2 +- 3 files changed, 5 insertions(+), 4 deletions(-) diff --git a/agent/integration/job_verification_integration_test.go b/agent/integration/job_verification_integration_test.go index ca821c91fb..2616c44f03 100644 --- a/agent/integration/job_verification_integration_test.go +++ b/agent/integration/job_verification_integration_test.go @@ -568,7 +568,7 @@ func TestJobVerification(t *testing.T) { RepositoryURL: tc.repositoryURL, } - tc.job.Step = signStep(t, tc.signingKey, pipelineUploadEnv, stepWithInvariants) + tc.job.Step = signStep(t, ctx, tc.signingKey, pipelineUploadEnv, stepWithInvariants) err := runJob(t, ctx, testRunJobConfig{ job: &tc.job, server: server, @@ -659,6 +659,7 @@ func jwksFromKeys(t *testing.T, jwkes ...jwk.Key) jwk.Set { func signStep( t *testing.T, + ctx context.Context, key jwk.Key, env map[string]string, stepWithInvariants signature.CommandStepWithInvariants, @@ -670,7 +671,7 @@ func signStep( return stepWithInvariants.CommandStep } - signature, err := signature.Sign(key, &stepWithInvariants, signature.WithEnv(env)) + signature, err := signature.Sign(ctx, key, &stepWithInvariants, signature.WithEnv(env)) if err != nil { t.Fatalf("signing step: %v", err) } diff --git a/clicommand/pipeline_upload.go b/clicommand/pipeline_upload.go index 1afe18e4ca..ed19bd6f7c 100644 --- a/clicommand/pipeline_upload.go +++ b/clicommand/pipeline_upload.go @@ -288,7 +288,7 @@ var PipelineUploadCommand = cli.Command{ return fmt.Errorf("couldn't read the signing key file: %w", err) } - err := signature.SignSteps( + err = signature.SignSteps( ctx, result.Steps, key, diff --git a/clicommand/tool_sign.go b/clicommand/tool_sign.go index 166b208812..10b8407a8f 100644 --- a/clicommand/tool_sign.go +++ b/clicommand/tool_sign.go @@ -262,7 +262,7 @@ func signOffline(ctx context.Context, c *cli.Context, l logger.Logger, key jwk.K l.Debug("Pipeline parsed successfully:\n%v", parsedPipeline) } - err := signature.SignSteps( + err = signature.SignSteps( ctx, parsedPipeline.Steps, key,