Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-47524

Git verify-commit HEAD after checkout

    Details

    • Similar Issues:

      Description

      I want to be able to configure Jenkins to run "git verify-commit HEAD" after checkout to ensure that the commit at the HEAD of master has been GPG signed. This allows the build server to ensure integrity of the repository, even if the repository host has been compromised.

      Although current recommendations are to put "git verify-commit HEAD" in the build script as the first line after "checkout scm", this doesn't help with verifying that "Jenkinsfile" itself hasn't been tampered with, as commits on master are trusted by default. The only way to verify the commit before a pipeline starts using it would be for this plugin to add an additional behaviour to run "git verify-commit HEAD" before the pipeline starts. I'd imagine the implementation of the behaviour would be identical to "Git LFS pull after checkout", but with a different command.

      I think for now it's reasonably okay to have to configure the GPG keyring on the Jenkins master, as I don't expect this feature will be used by a lot of people. But for us, it allows us to improve the security and integrity of our Git repositories, and ensure only code written by signed off by developers makes it through the normal build process.

        Attachments

          Activity

          Hide
          markewaite Mark Waite added a comment - - edited

          This seems like a very good case for a separate plugin which uses the facilities of the git plugin to provide this extra feature. I expect it will be less invasive than git lfs.

          For example, it should be possible to create a plugin which implements GitSCMExtension.beforeCheckout or GitSCMExtension.onCheckoutCompleted.

          A separate plugin avoids increasing the footprint of the git plugin and avoids one more narrow, very specific use case supported inside the git plugin.

          Show
          markewaite Mark Waite added a comment - - edited This seems like a very good case for a separate plugin which uses the facilities of the git plugin to provide this extra feature. I expect it will be less invasive than git lfs . For example, it should be possible to create a plugin which implements GitSCMExtension.beforeCheckout or GitSCMExtension.onCheckoutCompleted . A separate plugin avoids increasing the footprint of the git plugin and avoids one more narrow, very specific use case supported inside the git plugin.

            People

            • Assignee:
              Unassigned
              Reporter:
              hachque June Rhodes
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated: