From 303366f215e35c93a145838642cf112fe94ad883 Mon Sep 17 00:00:00 2001 From: mohamed Date: Tue, 19 Jan 2021 09:49:02 -0800 Subject: [PATCH] Add a :verify_commit option When :verify_commit is set to true, after updating the mirror `git verify-commit ` will be run on the revision that is about to be deployed to check if it has a valid signature. This will allow a user to be certain that the code they are about to deploy was signed by an authorized author, and that they are not in danger of deploying malicious code in an attack scenario such as https://github.blog/2012-03-04-public-key-security-vulnerability-and-mitigation/ --- .../getting-started/configuration/index.markdown | 5 +++++ lib/capistrano/scm/git.rb | 4 ++++ lib/capistrano/scm/tasks/git.rake | 1 + spec/lib/capistrano/scm/git_spec.rb | 11 +++++++++++ 4 files changed, 21 insertions(+) diff --git a/docs/documentation/getting-started/configuration/index.markdown b/docs/documentation/getting-started/configuration/index.markdown index ab4145e2..c0aea2db 100644 --- a/docs/documentation/getting-started/configuration/index.markdown +++ b/docs/documentation/getting-started/configuration/index.markdown @@ -158,6 +158,11 @@ The following variables are settable: * **default:** `0` * Number of seconds to wait after you reach the limit of concurrent connections to Git repository server and disconnect afterwards to initialize new connections. This prevents from being cut out of SSH server when you use `fail2ban` or similar software for limiting connections to server. +* `:verify_commit` + * **default:** `false` + * Whether to check if a valid signature exists on the commit to be deployed. + * Currently only implemented for Git. + Capistrano plugins can provide their own configuration variables. Please refer to the plugin documentation for the specifics. Plugins are allowed to add or manipulate default values as well as already user-defined values after the diff --git a/lib/capistrano/scm/git.rb b/lib/capistrano/scm/git.rb index 9a95cb8c..0c08ab7d 100644 --- a/lib/capistrano/scm/git.rb +++ b/lib/capistrano/scm/git.rb @@ -60,6 +60,10 @@ class Capistrano::SCM::Git < Capistrano::SCM::Plugin end end + def verify_commit + git :"verify-commit", fetch_revision + end + def archive_to_release_path if (tree = fetch(:repo_tree)) tree = tree.slice %r#^/?(.*?)/?$#, 1 diff --git a/lib/capistrano/scm/tasks/git.rake b/lib/capistrano/scm/tasks/git.rake index acf729c0..52cd76d1 100644 --- a/lib/capistrano/scm/tasks/git.rake +++ b/lib/capistrano/scm/tasks/git.rake @@ -42,6 +42,7 @@ namespace :git do within repo_path do with fetch(:git_environmental_variables) do git_plugin.update_mirror + git_plugin.verify_commit if fetch(:verify_commit) end end end diff --git a/spec/lib/capistrano/scm/git_spec.rb b/spec/lib/capistrano/scm/git_spec.rb index 6dbdb250..df3528b4 100644 --- a/spec/lib/capistrano/scm/git_spec.rb +++ b/spec/lib/capistrano/scm/git_spec.rb @@ -169,5 +169,16 @@ module Capistrano expect(revision).to eq("81cec13b777ff46348693d327fc8e7832f79bf43") end end + + describe "#verify_commit" do + it "should run git verify-commit" do + env.set(:branch, "branch") + + backend.expects(:capture).with(:git, "rev-list --max-count=1 branch").returns("81cec13b777ff46348693d327fc8e7832f79bf43") + backend.expects(:execute).with(:git, :"verify-commit", "81cec13b777ff46348693d327fc8e7832f79bf43") + + subject.verify_commit + end + end end end