From 50a2eb8fd144397e322ab75d77f101f2c6c912b4 Mon Sep 17 00:00:00 2001 From: Ben Hearsum Date: Mon, 16 Oct 2023 11:27:01 -0400 Subject: [PATCH] RFC for signing/verifying remotely referenced taskcluster.yml files --- README.md | 1 + ...-sign-taskcluster-yml-remote-references.md | 33 +++++++++++++++++++ rfcs/README.md | 1 + 3 files changed, 35 insertions(+) create mode 100644 rfcs/0187-sign-taskcluster-yml-remote-references.md diff --git a/README.md b/README.md index 67e0043..c6c97f1 100644 --- a/README.md +++ b/README.md @@ -67,3 +67,4 @@ See [mechanics](mechanics.md) for more detail. | RFC#177 | [Skip CI in github integration](rfcs/0177-Skip-ci-integrations.md) | | RFC#180 | [Github cancel previous tasks](rfcs/0180-Github-cancel-previous-tasks.md) | | RFC#182 | [Allow remote references to .taskcluster.yml files processed by Taskcluster-GitHub](rfcs/0182-taskcluster-yml-remote-references.md) | +| RFC#187 | [Integrity checks for .taskcluster.yml remote references (addendum to #182)](rfcs/0187-sign-taskcluster-yml-remote-references.md) | diff --git a/rfcs/0187-sign-taskcluster-yml-remote-references.md b/rfcs/0187-sign-taskcluster-yml-remote-references.md new file mode 100644 index 0000000..cd88d79 --- /dev/null +++ b/rfcs/0187-sign-taskcluster-yml-remote-references.md @@ -0,0 +1,33 @@ +# RFC 187 - Integrity checks for .taskcluster.yml remote references (addendum to #182) +* Comments: [#187](https://github.com/taskcluster/taskcluster-rfcs/pull/186) +* Proposed by: @bhearsum + +# Summary + +Require remotely referenced `.taskcluster.yml` files to be verifiable through a detached signature. + +## Motivation + +In #182 we discussed and agreed on a mechanism to allow for deduplication of `.taskcluster.yml` files by supporting pointers to a `.taskcluster.yml` file hosted elsewhere. Something we did not discuss there was how to verify that these files have not been tampered with (being overridden, man-in-the-middle, etc.). + +This is a crucial detail to iron out before we implement it. + +# Details + +To accommodate integrity checks, Taskcluster-GitHub will require that any remotely referenced `.taskcluster.yml` files have an associated detached GPG signature which can be verified by a public GPG key that it has been configured with. + +Integrity checks will be on by default, but can be disabled by setting `allow-unsigned-remote-references` to `True`. + +Taskcluster-GitHub will allow for zero, one, or many public keys to be configured in its `config.yml`. If zero public keys are configured and `allow-unsigned-remote-references` is `False`, remote references are not supported. If `allow-unsigned-remote-references` is `True` and one or more keys are configured, any `.taskcluster.yml` that is verifiable by _any_ of the configured keys is permitted to be used. (That is to say: keys are not scoped in any way, nor does the order in which they are listed in the config matter.) + +The procedure for verifying a remotely referenced `.taskcluster.yml` will be as follows: +/) Resolve the `config-from` entry to a raw URL (eg: github.com/taskcluster/taskgraph/data/taskcluster-yml-github.yml@main becomes https://github.com/taskcluster/taskgraph/raw/main/data/taskcluster-yml-github.yml) +2) Construct the raw URL for the detached signature by appending `.asc` to the `.taskcluster.yml` URL. (eg: https://github.com/taskcluster/taskgraph/raw/main/data/taskcluster-yml-github.yml.asc) +3) Download both files. If either one does not exist, exit. +4) Iterate over the available public keys and try to verify the `.taskcluster.yml` against the `.asc`. If any verification succeeds, proceed as usual. If no verifications succeed, exit. + +In the event of verification error, a comment should be left on the GitHub commit or Pull Request that caused Taskcluster-GitHub to fire. + +# Implementation + +Part of [Issue #6138](https://github.com/taskcluster/taskcluster/issues/6138). diff --git a/rfcs/README.md b/rfcs/README.md index e2e332c..2caef83 100644 --- a/rfcs/README.md +++ b/rfcs/README.md @@ -55,3 +55,4 @@ | RFC#177 | [Skip CI in github integration](0177-Skip-ci-integrations.md) | | RFC#180 | [Github cancel previous tasks](0180-Github-cancel-previous-tasks.md) | | RFC#182 | [Allow remote references to .taskcluster.yml files processed by Taskcluster-GitHub](0182-taskcluster-yml-remote-references.md) | +| RFC#187 | [Integrity checks for .taskcluster.yml remote references (addendum to #182)](0187-sign-taskcluster-yml-remote-references.md) |