Resolve "signature of the commits" (!992) · Merge requests · Sylva-projects / sylva-core

François-Régis Menguy requested to merge 551-signature-of-the-commits into main Oct 17, 2023

What does this MR do and why?

Demonstrate how to verify the signature of the commits, taking GPG key as reference for Flux CD validation.

Signing a commit is meant to address the security need of integrity, i.e. it mitigates the risk to unwilling commit or tag that has been tampered.

Validation of commits is based on a list of referenced developers (using their pub key).

Related reference(s)

https://fluxcd.io/flux/components/source/gitrepositories/#verification
https://docs.gitlab.com/ee/user/project/repository/signed_commits/gpg.html

Test coverage

Deploying a Sylva unit without a commit signature must fail when Flux CD verification is configured. Deploying a Sylva unit with a commit signature not in the authorized list must fail when Flux CD verification is configured. Deploying a Sylva unit with a commit signature in the authorized list must be successful when Flux CD verification is configured.

Closes #551 (closed)

Resolve "signature of the commits"

What does this MR do and why?

Related reference(s)

Test coverage

Merge request reports