Signing Process
During the signing process of a pipeline:
- A run key is generated for every run of the pipeline.
- During the run, all artifacts (
pipeInfo.json) are signed with the private key. - The private key is discarded at the end of the run.
- Metadata for the run that generated the artifact is stored as a tag for the artifact.
During the verification stage, a public key is used to verify the signature.
For each run, files containing comprehensive metadata (*.json) and corresponding signature files (*.json.sig) are uploaded to Artifactory. This provides a way to trace the entire path of a pipeline. Now any process that needs to verify can verify this in addition to cross-referencing the pipeInfo.
Pipe-Info Repository
The Pipe-Info repository, like the Build-Info Repository, is a local repository that is created per Project and stores all the metadata for each pipeline.
Whenever Pipelines uploads a new build to Artifactory, its pipeinfo json files are automatically deployed to either the default artifactory-pipe-info repository or the <project_key>-pipe-info repository. Pipeline artifacts that do not belong to any Project are stored in the artifactory-pipe-info repository and pipeline artifacts that belong to specific Projects are stored in the <project_key>-pipe-info repository.
Viewing pipe-info Repository
To view the pipe-info repository, from the Application module, click Artifactory | Artifacts and then click the artifactory-pipe-info repository.
Artifactory automatically places the json files in the pipe-info repository using the following structure: [pipeline-name] → [branch] → [run-rumber] → [pipe-info files].
The JSON schema defines a pipeinfo object. The object is composed of three components, which summarizes a run:
head.json: Contains metadata about the pipeline, and the contents of the pipeline yaml file.info.json: Contains metadata about the status of the run.step.json: Contains metadata about the step.
Each .json file is stored with a corresponding .json.sig signature file. To view the contents of a json file, right-click the file and click View, as shown in the image above.
Using the artifactory-pipe-info repository
- The
artifactory-pipe-inforepository is automatically created and used by default. Removing it will cause all the pipe-info in the repository to be deleted and a new default pipe-info repository will be recreated. - Only admins and Project admins can view and navigate to this repository.
Cleanup Policies
If you have existing cleanup policies defined in Artifactory User Plugins, which delete artifacts from your local repositories according to a policy, they will also affect the artifactory-pipe-info repository and should be updated accordingly. Exclude this repository from your cleanup policies to ensure that your pipe info files are not deleted.
Viewing Metadata
When you have a successful build for a pipeline, the metadata for the artifacts and builds for that pipeline is displayed in the corresponding repository in Artifactory.
Go to Artifactory | Artifacts | <repo_name> | projects | <version>, navigate and click one of the files. This displays the Pipelines tab, which shows the metadata for the run that created the artifact.
The Pipelines tab appears only when you click a file.
Similarly, go to Artifactory | Builds | <build_name> | <build_id> and click the Pipelines tab, which shows metadata for the build.
Viewing pipeinfo.json
A pipeInfo.json file is generated for each run under the Project/Pipeline namespace. This file captures the metadata for a specific step of a pipeline, as well as a detailed Bill of Materials (BOM) for each run. The pipe-info includes information, such as name, version, type, status, timestamps, inputs, outputs, nodepools and more. This information is maintained in the run state during execution. When the run completes, the json file is uploaded to the appropriate repository.
To view the pipeinfo.json file, go the run page, click the action button on the upper left corner and click Pipe Info. The contents of the pipeinfo.json file is displayed in a json viewer.
Storing and Validating Signed Pipelines Data
Native Steps
Pipelines native steps automatically store information about the artifacts they build so that they can be used later as part of the signed pipelines validation.
The PowerShell version of these steps do not support the signed pipelines feature.
The following native steps can save artifact info:
The following native steps can validate the published artifacts:
Generic Steps
It is also possible to create your own signed pipeline using only Bash steps. To accomplish this, use the following utility functions, which are available at execution time, to configure what needs to be tracked and validated.
If an artifact is saved in one Bash step, it can be validated in a later Bash step.
Example YAML
resources:
- name: signed_git
type: GitRepo
configuration:
scmProvider: bbs
path: ~test/myapp
branches:
include: ^master$
- name: signed_buildinfo
type: BuildInfo
configuration:
sourceArtifactory: my_art
pipelines:
- name: test_signed_start
steps:
- name: create_info
type: Bash
configuration:
inputResources:
- name: signed_git
integrations:
- name: my_art
outputResources:
- name: signed_buildinfo
execution:
onExecute:
- cd $res_signed_git_resourcePath
- jfrog rt upload server.js
- jfrog rt build-collect-environment
- jfrog rt build-publish --detailed-summary $JFROG_CLI_BUILD_NAME $JFROG_CLI_BUILD_NUMBER > summaryOutput.json
- save_artifact_info buildInfo summaryOutput.json --build-name=$JFROG_CLI_BUILD_NAME --build-number=$JFROG_CLI_BUILD_NUMBER
- name: test_signed_stop
steps:
- name: validate_info
type: Bash
configuration:
inputResources:
- name: signed_buildinfo
execution:
onExecute:
- response=$(validate_artifact buildInfo --build-name ${res_signed_buildinfo_buildName} --build-number ${res_signed_buildinfo_buildNumber})
- validateResult=$(echo "$response" | jq '.result')
- if [ "$validateResult" != "true" ]; then echo "failed validation" && exit 1; fi
