mirror of
https://github.com/capistrano/capistrano
synced 2023-03-27 23:21:18 -04:00
Add a :verify_commit option
When :verify_commit is set to true, after updating the mirror `git verify-commit <revision>` will be run on the revision that is about to be deployed to check if it has a valid signature. This will allow a user to be certain that the code they are about to deploy was signed by an authorized author, and that they are not in danger of deploying malicious code in an attack scenario such as https://github.blog/2012-03-04-public-key-security-vulnerability-and-mitigation/
This commit is contained in:
parent
b83a39bd86
commit
303366f215
4 changed files with 21 additions and 0 deletions
|
@ -158,6 +158,11 @@ The following variables are settable:
|
||||||
* **default:** `0`
|
* **default:** `0`
|
||||||
* Number of seconds to wait after you reach the limit of concurrent connections to Git repository server and disconnect afterwards to initialize new connections. This prevents from being cut out of SSH server when you use `fail2ban` or similar software for limiting connections to server.
|
* Number of seconds to wait after you reach the limit of concurrent connections to Git repository server and disconnect afterwards to initialize new connections. This prevents from being cut out of SSH server when you use `fail2ban` or similar software for limiting connections to server.
|
||||||
|
|
||||||
|
* `:verify_commit`
|
||||||
|
* **default:** `false`
|
||||||
|
* Whether to check if a valid signature exists on the commit to be deployed.
|
||||||
|
* Currently only implemented for Git.
|
||||||
|
|
||||||
Capistrano plugins can provide their own configuration variables. Please refer
|
Capistrano plugins can provide their own configuration variables. Please refer
|
||||||
to the plugin documentation for the specifics. Plugins are allowed to add or
|
to the plugin documentation for the specifics. Plugins are allowed to add or
|
||||||
manipulate default values as well as already user-defined values after the
|
manipulate default values as well as already user-defined values after the
|
||||||
|
|
|
@ -60,6 +60,10 @@ class Capistrano::SCM::Git < Capistrano::SCM::Plugin
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
def verify_commit
|
||||||
|
git :"verify-commit", fetch_revision
|
||||||
|
end
|
||||||
|
|
||||||
def archive_to_release_path
|
def archive_to_release_path
|
||||||
if (tree = fetch(:repo_tree))
|
if (tree = fetch(:repo_tree))
|
||||||
tree = tree.slice %r#^/?(.*?)/?$#, 1
|
tree = tree.slice %r#^/?(.*?)/?$#, 1
|
||||||
|
|
|
@ -42,6 +42,7 @@ namespace :git do
|
||||||
within repo_path do
|
within repo_path do
|
||||||
with fetch(:git_environmental_variables) do
|
with fetch(:git_environmental_variables) do
|
||||||
git_plugin.update_mirror
|
git_plugin.update_mirror
|
||||||
|
git_plugin.verify_commit if fetch(:verify_commit)
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
|
@ -169,5 +169,16 @@ module Capistrano
|
||||||
expect(revision).to eq("81cec13b777ff46348693d327fc8e7832f79bf43")
|
expect(revision).to eq("81cec13b777ff46348693d327fc8e7832f79bf43")
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
describe "#verify_commit" do
|
||||||
|
it "should run git verify-commit" do
|
||||||
|
env.set(:branch, "branch")
|
||||||
|
|
||||||
|
backend.expects(:capture).with(:git, "rev-list --max-count=1 branch").returns("81cec13b777ff46348693d327fc8e7832f79bf43")
|
||||||
|
backend.expects(:execute).with(:git, :"verify-commit", "81cec13b777ff46348693d327fc8e7832f79bf43")
|
||||||
|
|
||||||
|
subject.verify_commit
|
||||||
|
end
|
||||||
|
end
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
Loading…
Reference in a new issue