buildkite
Support ignoring env vars in job signatures
Description
In some cases, when using signed pipelines, the values of some environment variables can't necessarily be controlled by the user to the degree that steps will always pass verification -- for example, successive pipeline uploads can change build-level environment such that steps will fail to verify.
To allow users to still use pipeline signing in these situations, we've added a pair of flags to the agent --signing-ignored-env-vars and --verification-ignored-env-vars. As their names imply, they remove environment variables from the step payloads that we sign and verify.
This means that if we knew that environment variables called MOUNTAIN and RIVER were going to change between signing and verification, we could start the signing agents with --signing-ignored-env-vars="MOUNTAIN,RIVER" and the verifying agents with --verification-ignored-env-vars="MOUNTAIN,RIVER".
Setting these flags reduces the integrity of the signature, and thus weakens the security guarantees that signed pipelines provides. As such, when in use, signing pipelines with ignored env vars will always emit a warning. The intent is that the use of these flags will be a stopgap until agent environments can be better controlled.
This PR relies on the associated one in go-pipeline.
Testing
- [x] Tests have run locally (with
go test ./...). Buildkite employees may check this if the pipeline has run automatically. - [x] Code is formatted (with
go fmt ./...)
