Add support for signature verification predicates #285
Conversation
IainSteers
force-pushed
the
isteers/signature-predicates
branch
3 times, most recently
from
9ad431e to
a5a6357
Compare
There was a problem hiding this comment.
I'm interested to see how these predicates end up being used. I can see uses as disapproval conditions and in combination with other conditions, but I'm curious if they will be used on their own. Maybe commit signatures could replace the forgeable (without additional pre-receive hooks) author and committer checks to some extent?
README.md
Outdated
| # "has_valid_signatures_by" is satisfied if the commits in the pull request | ||
| # all have git commit signatures that have been verified by GitHub, and | ||
| # the authenticated signatures are attributed to a user in the users list | ||
| # or belong to any of the listed organizations or teams. |
There was a problem hiding this comment.
| # or belong to any of the listed organizations or teams. | |
| # or belong to a user in any of the listed organizations or teams. |
policy/predicate/signature.go
Outdated
| if !pred { | ||
| return true, "", nil | ||
| } |
There was a problem hiding this comment.
See my note above about what it means when this predicate is false. If we do keep the current implementation, let's do this check before getting the commits.
pull/context.go
Outdated
| type Signature interface { | ||
| GetEmail() string | ||
| GetIsValid() bool | ||
| GetPayload() string | ||
| GetSignature() string | ||
| GetSigner() string | ||
| GetState() string | ||
| GetSignedByGitHub() bool | ||
| } |
There was a problem hiding this comment.
I'm not sold on the use of an interface to represent the different signature types here, especially since the only difference is the addition of the ID field in the GPG case. It stands out in comparison to the rest of the pull.Context return types, which are all simple concrete structs.
Using a pointer to a concrete Signature in Commit also makes it clearer that the value may not be present.
What do you think about using a concrete type with an optional KeyID field and maybe a Type field (similar to the Type field on Reviewer, especially since you already defined a type type for use with GraphQL)? Since you already have functions to convert the GitHub API types into the pull.Context types, I don't think it would change the code much.
There was a problem hiding this comment.
That's fair. I mostly went with the interface out of habit rather than a particular need.
You're right it didn't change the code much and arguably given then types involved it feels neater now.
pull/github.go
Outdated
| const ( | ||
| SignatureGpg SignatureType = "GpgSignature" | ||
| SignatureSmime SignatureType = "SmimeSignature" | ||
| SignatureUnknown SignatureType = "UnknownSignature" |
There was a problem hiding this comment.
No, I thought it might be necessary at one point but forgot to remove it. Done
pull/context.go
Outdated
| type Signature struct { | ||
| Type SignatureType | ||
| Email string | ||
| IsValid bool | ||
| KeyID string | ||
| Payload string | ||
| Signature string | ||
| Signer string | ||
| State string | ||
| WasSignedByGitHub bool | ||
| } |
There was a problem hiding this comment.
Historically, I've tried to only expose fields that were actually used and then add additional fields as needed. It looks like WasSignedByGitHub, Email, Payload, Signature, and maybe others are not used. What do you think about removing those for now?
Co-authored-by: Andrew Svoboda <svoboda.andrew@gmail.com>
IainSteers
force-pushed
the
isteers/signature-predicates
branch
from
db40ddc to
46f36b5
Compare
IainSteers
force-pushed
the
isteers/signature-predicates
branch
from
46f36b5 to
4dee23c
Compare
This PR introduces support for policy-bot to verify the presence of git commit signatures in a pull request.
has_valid_signatures, this predicate should be used to test if commits are signed and their signatures valid.has_valid_signatures_by, commits are required to have valid signatures and additionally the signatures must be authenticated as one of the valid users/team/org members listed.has_valid_signatures_by_key, commits are required to have valid signatures and additionally the signatures must be attributed to one of the key_ids listed.