During the signing process of a pipeline:
- A run key is generated for every run of the pipeline.
- During the run, all artifacts (
pipeInfo.json) are signed with the private key.
- The private key is discarded at the end of the run.
- Metadata for the run that generated the artifact is stored as a tag for the artifact.
During the verification stage, a public key is used to verify the signature.
For each run, files containing comprehensive metadata (*.json) and corresponding signature files (*.json.sig) are uploaded to Artifactory. This provides a way to trace the entire path of a pipeline. Now any process that needs to verify can verify this in addition to cross-referencing the pipeInfo.
The Pipe-Info repository, like the Build-Info Repository, is a local repository that is created per Project and stores all the metadata for each pipeline.
Whenever Pipelines uploads a new build to Artifactory, its pipeinfo json files are automatically deployed to either the default artifactory-pipe-info repository or the <project_key>-pipe-info repository. Pipeline artifacts that do not belong to any Project are stored in the artifactory-pipe-info repository and pipeline artifacts that belong to specific Projects are stored in the <project_key>-pipe-info repository.
Viewing pipe-info Repository
To view the pipe-info repository, from the Application module, click Artifactory | Artifacts and then click the artifactory-pipe-info/<project_key>-pipe-info repository.
Artifactory automatically places the json files in the pipe-info repository using the following structure: [pipeline-name] → [branch] → [run-rumber] → [pipe-info files].
The JSON schema defines a pipeinfo object. The object is composed of three components, which summarizes a run:
head.json: Contains metadata about the pipeline, and the contents of the pipeline yaml file.
info.json: Contains metadata about the status of the run.
step.json: Contains metadata about the step.
.json file is stored with a corresponding
.json.sig signature file. To view the contents a json file, right-click the file and click View, as shown in the image above.
Using the artifactory-pipe-info repository
- The artifactory-pipe-info repository is automatically created and used by default. Removing it will cause all the pipe-info in the repository to be deleted and a new default pipe-info repository will be recreated.
- Only admins and Project admins can view and navigate this repository.
If you have existing cleanup policies, defined in Artifactory User Plugins, that deletes artifacts from your local repositories according to a policy, they will also affect the artifactory-pipe-info repository and should be updated accordingly. Exclude this repository from your cleanup policies to ensure that your pipe info files are not deleted.
When you have a successful build for a pipeline, the metadata for the artifacts and builds for that pipeline is displayed in the corresponding repository in Artifactory:
Go to Artifactory | Artifacts | <repo_name> | projects | <version>, navigate and click one of the files. This displays the Pipelines tab, which shows the metadata for the run that created the artifact.
The Pipelines tab appears only when you click a file.
Similarly, go to Artifactory | Builds | <build_name> | <build_id> and click the Pipelines tab. which shows metadata for the build.
pipeInfo.json file is generated for each run under the Project/Pipeline namespace. This file captures the metadata for a specific step of a pipeline, as well as a detailed Bill of Materials (BOM) for each run. The pipe-info includes information, such as name, version, type, status, timestamps, inputs, outputs, nodepools and more. This information is maintained in run state during execution. When the run completes, the json file is uploaded to the appropriate repository.
To view the
pipeinfo.json file, hover the mouse pointer over a pipeline and click the Show pipe info icon that appears. The contents of the
pipeinfo.json file is displayed in a json viewer.
Navigating to the Step
Hover the mouse pointer over a pipeline and click the Go to step icon that appears. This takes you to the step view of a specific run for that specific pipeline in My Pipelines.
Storing and Validating Signed Pipelines Data
Pipelines native steps automatically store information about the artifacts they build so that they can be used later as part of the signed pipelines validation.
The PowerShell version of these steps do not support the signed pipelines feature.
The following native steps can save artifact info:
The following native steps can validate the published artifacts:
It is also possible to create your own signed pipeline using only Bash steps. To accomplish this, use the following utility functions, which are available at execution time, to configure what needs to be tracked and validated.
If an artifact is saved in one Bash step, it can be validated in a later Bash step.