Version 0.9.0
Language EN

Signature

Drone provides the ability to sign your yaml configuration file to verify authenticity, and prevent tampering. This is especially useful if your repository is public and you need to prevent unauthorized changes to your configuration.

If a user modifies the configuration and signature verification fails, the pipeline is blocked pending manual approval by an authorized user with write or administrative access to the repository.

Enforcing Signatures

To enforce signature verification you need to enable Protected mode for your repository. Navigate to your repository settings screen and check the Protected checkbox.

Storing Signatures

Signatures are stored in the Yaml configuration file as a signature resource. The signature resource provides an hmac signature of your configuration.

---
kind: pipeline
name: default

steps:
- name: build
  image: golang
  commands:
  - go build
  - go test

---
kind: signature
hmac: F10E2821BBBEA527EA02200352313BC059445190

...

Calculating Signatures

The contents of each yaml resource, excluding any existing signature resources, are signed using a 256-bit secret key. The secret key is unique per-repository, and never leaves the Drone server.

It is import and re-iterate that the signature excludes any existing signature sections. This allows you to sign the yaml configuration file, and then insert or update a signature section, without invalidating your newly generated hmac.

Creating Signatures

The signature is created using the Drone command line utility. This command makes an authenticated request to the Drone server, posting your yaml configuration file, to calculate and return the hmac signature.

drone sign <repository>

Example:

$ drone sign octocat/hello-world
F10E2821BBBEA527EA02200352313BC059445190

Example automatically writes the signature to your yaml:

$ drone sign octocat/hello-world --save

Getting Help

Enterprise Support
Real-time chat support from the developers that wrote the code.
Mailing List
Search for information in the mailing list archives, or post a question.