Cloud customer?
Start for Free >
Upgrade in MyJFrog >
What's New in Cloud >

Search





Overview

The signed pipelines feature is a verification system that determines which pipelines/steps generated a specific artifact. It provides users with a way to ensure that their artifacts have not been tampered with before these artifacts are promoted through the CI/CD workflow. The signing process creates trust, and provides a way to validate the immutability of the artifacts and the authenticity of packages. This means, if the authenticity of artifacts cannot be verified, they can be blocked.

In addition, the signed pipelines feature builds comprehensive metadata, called pipeinfo. This provides complete visibility and audit for each step and run, which can be viewed in the UI. 

  • The signed pipelines feature is available with Enterprise+ license only.
  • As of this release, the signed pipelines feature is available for buildinfo and Go binaries only.
  • The signed pipelines feature is enabled by default. To disable this feature, in the Core Services Configurations section in the Pipelines System YAML, set the signedPipelinesEnabled tag as false.

Page Contents


Signing Process

During the signing process of a pipeline:

  • A run key is generated for every run of the pipeline.
  • During the run, all artifacts (pipeInfo.json) are signed with the private key.
  • The private key is discarded at the end of the run.
  • Metadata for the run that generated the artifact is stored as a tag for the artifact.
  • During the verification stage, a public key is used to verify the signature.

For each run, files containing comprehensive metadata (*.json) and corresponding signature files (*.json.sig) are uploaded to Artifactory. This provides a way to trace the entire path of a pipeline. Now any process that needs to verify can verify this in addition to cross-referencing the pipeInfo.


Pipe-Info Repository

The Pipe-Info repository, like the Build-Info Repository, is a local repository that is created per Project and stores all the metadata for each pipeline.

Whenever Pipelines uploads a new build to Artifactory, its pipeinfo json files are automatically deployed to either the default artifactory-pipe-info repository or the <project_key>-pipe-info repository. Pipeline artifacts that do not belong to any Project are stored in the artifactory-pipe-info repository and pipeline artifacts that belong to specific Projects are stored in the <project_key>-pipe-info repository.

Viewing pipe-info Repository

To view the pipe-info repository, from the Application module, click Artifactory | Artifacts and then click the artifactory-pipe-info/<project_key>-pipe-info repository.

Artifactory automatically places the json files in the pipe-info repository using the following structure: [pipeline-name] → [branch] → [run-rumber] → [pipe-info files].

The JSON schema defines a pipeinfo object. The object is composed of three components, which summarizes a run:

  • head.json: Contains metadata about the pipeline, and the contents of the pipeline yaml file.
  • info.json: Contains metadata about the status of the run.
  • step.json: Contains metadata about the step.

Each .json file is stored with a corresponding .json.sig signature file. To view the contents a json file, right-click the file and click View, as shown in the image above.

Using the artifactory-pipe-info repository

  • The artifactory-pipe-info repository is automatically created and used by default. Removing it will cause all the pipe-info in the repository to be deleted and a new default pipe-info repository will be recreated.
  • Only admins and Project admins can view and navigate this repository.

Cleanup Policies

If you have existing cleanup policies, defined in Artifactory User Plugins, that deletes artifacts from your local repositories according to a policy, they will also affect the artifactory-pipe-info repository and should be updated accordingly. Exclude this repository from your cleanup policies to ensure that your pipe info files are not deleted.


Viewing Metadata

When you have a successful build for a pipeline, the metadata for the artifacts and builds for that pipeline is displayed in the corresponding repository in Artifactory:

Go to Artifactory | Artifacts | <repo_name> | projects | <version>, navigate and click one of the files. This displays the Pipelines tab, which shows the metadata for the run that created the artifact.

The Pipelines tab appears only when you click a file.

Similarly, go to Artifactory | Builds | <build_name> | <build_id> and click the Pipelines tab. which shows metadata for the build.

Viewing pipeinfo.json

A pipeInfo.json file is generated for each run under the Project/Pipeline namespace. This file captures the metadata for a specific step of a pipeline, as well as a detailed Bill of Materials (BOM) for each run. The pipe-info includes information, such as name, version, type, status, timestamps, inputs, outputs, nodepools and more. This information is maintained in run state during execution. When the run completes, the json file is uploaded to the appropriate repository. 

To view the pipeinfo.json file, hover the mouse pointer over a pipeline and click the Show pipe info icon that appears. The contents of the pipeinfo.json file is displayed in a json viewer.

Navigating to the Step

Hover the mouse pointer over a pipeline and click the Go to step icon that appears. This takes you to the step view of a specific run for that specific pipeline in My Pipelines.


Storing and Validating Signed Pipelines Data

Native Steps

Pipelines native steps automatically store information about the artifacts they build so that they can be used later as part of the signed pipelines validation. 

The PowerShell version of these steps do not support the signed pipelines feature.

The following native steps can save artifact info:

The following native steps can validate the published artifacts:

Generic Steps

It is also possible to create your own signed pipeline using only Bash steps.  To accomplish this, use the following utility functions, which are available at execution time, to configure what needs to be tracked and validated.

If an artifact is saved in one Bash step, it can be validated in a later Bash step.

Example YAML

Signed Pipelines for Bash
resources:
  - name: signed_git
    type: GitRepo
    configuration:
      scmProvider: bbs
      path: ~test/myapp
      branches:
        include: ^master$
  - name: signed_buildinfo
    type: BuildInfo
    configuration:
      sourceArtifactory: my_art

pipelines:
  - name: test_signed_start
    steps:
      - name: create_info
        type: Bash
        configuration:
          inputResources:
            - name: signed_git
          integrations:
            - name: my_art
          outputResources:
            - name: signed_buildinfo
        execution:
          onExecute:
            - cd $res_signed_git_resourcePath 
            - jfrog rt upload server.js 
            - jfrog rt build-collect-environment
            - jfrog rt build-publish --detailed-summary $JFROG_CLI_BUILD_NAME $JFROG_CLI_BUILD_NUMBER > summaryOutput.json
            - save_artifact_info buildInfo summaryOutput.json --build-name=$JFROG_CLI_BUILD_NAME --build-number=$JFROG_CLI_BUILD_NUMBER

  - name: test_signed_stop
    steps:
      - name: validate_info
        type: Bash
        configuration:
          inputResources:
            - name: signed_buildinfo
        execution:
          onExecute:
            - response=$(validate_artifact buildInfo --build-name ${res_signed_buildinfo_buildName} --build-number ${res_signed_buildinfo_buildNumber})
            - validateResult=$(echo "$response" | jq '.result')
            - if [ "$validateResult" != "true" ]; then echo "failed validation" && exit 1; fi


  • No labels
Copyright © 2021 JFrog Ltd.