Skip to content

feat(KEYS-5638): task signature checking #565

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
imundra wants to merge 2 commits into
base: main
Choose a base branch
from
Draft

feat(KEYS-5638): task signature checking #565

imundra wants to merge 2 commits into from

Conversation

@imundra
Copy link

@imundra imundra commented Jan 13, 2026
edited
Loading

Adds in checking for task signatures from the task author, and 2 facilitators. This is meant to serve as a safeguard against different signers signing different versions of the task. We don't perform actual cryptographic verification here but just check that the checksum that was signed is consistent across all of the signatures and the current state of the repo.

@cb-heimdall
Copy link
Collaborator

cb-heimdall commented Jan 13, 2026
edited
Loading

🟡 Heimdall Review Status

Requirement Status More Info
Reviews 🟡 0/2
Denominator calculation
Show calculation
1 if user is bot 0
1 if user is external 0
2 if repo is sensitive 0
From .codeflow.yml 2
Additional review requirements
Show calculation
Max 0
0
From CODEOWNERS 0
Global minimum 0
Max 2
2
1 if commit is unverified 1
Sum 3

@imundra imundra marked this pull request as draft January 13, 2026 17:55
imundra
imundra commented Jan 13, 2026
View reviewed changes
.github/scripts/validate-signatures.sh
Comment on lines +109 to +119
echo "📦 Creating deterministic tarball..."
if ! tar --sort=name \
--mtime='1970-01-01 00:00:00' \
--owner=0 --group=0 \
--numeric-owner \
-C "$network" \
-cf "$temp_tar" \
"$task_name/" 2>/dev/null; then
echo -e "${RED}❌ Failed to create tarball${NC}"
return 1
fi
Copy link
Author

@imundra imundra Jan 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this is going to get replaced with a call to a command line utility that @awilliams1-cb has in progress

imundra
imundra commented Jan 14, 2026
View reviewed changes
.github/scripts/validate-signatures.sh
Comment on lines +7 to +8
"sepolia"
"sepolia-alpha"
Copy link
Author

@imundra imundra Jan 14, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we may want to remove these from the testing

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@imundra @cb-heimdall