You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: user/securely-signing-software.md
+12-1Lines changed: 12 additions & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -85,21 +85,32 @@ script:
85
85
86
86
Whenever in doubt, please consult the [Cosign KMS Support documentation page](https://docs.sigstore.dev/cosign/kms_support)
87
87
88
+
### Add SSH Key
89
+
90
+
Add a new SSH key, a private key in PEM format only.
91
+
92
+
Complete the following fields to add a new SSH key:
93
+
- **Identifier**: field to add an identifier name.
94
+
- **Description**: field to add a short description.
95
+
- **SSH Key**: field to add your SSH key code.
96
+
88
97
## Security considerations
89
98
90
99
As much as the feature is meant to help you prove the source of the file or image via signature, please at all times consider following aspects of ensuring security of the key used for signing the files or images during the CI/CD process.
91
100
92
101
The key used for signing uploaded to Travis CI under a personal account or organization account can be used under every repository owned by this entity (assuming proper tag and key identifier are present in the respective repository `.travis.yml`). The key downloaded from Hashicorp Vault to a specific build job or build can be used, respectively, within a specific build job or every build job of a build.
93
102
103
+
94
104
Therefore, please carefully review repository settings in Travis CI for repositories belonging to the account and assess the risk of the key used for signing being exposed, e.g., via malicious pull request from a fork or accidental debug message. We’d recommend paying attention whether the repository is public (which makes the job logs public by default), if the pull requests from forks are allowed, are the repository SSH keys shared and who may access the job logs. Please mind that job logs, especially public, can be used to expose the secret via a malicious or accidental debug message in the pull request or commit that triggers a build in Travis CI.
95
105
96
106
We recommend considering the following security measures:
97
107
* using separate key just for the purpose of file/image signing.
98
-
* using private repository to trigger builds, during which the files are signed, if possible.
108
+
* using a private repository to trigger builds, during which the files are signed, if possible.
99
109
* reviewing who has push/write access to such repository.
100
110
* reviewing Repository Settings, particularly the [Security Settings -> Share SSH key with forks](/user/web-ui#share-ssh-keys-with-forks) setting.
101
111
* excluding a build, which signs the release to a separate account/organization (if possible and viable) with a limited list of collaborators.
102
112
* [limiting access to repository job logs](/user/disable-job-logs/) in individual repository settings.
103
113
* if using Hashicorp Vault KMS as a source of the key used for signing: always encrypt secrets needed to connect to Vault in the respective Repository Settings or the .travis.yml file.
104
114
115
+
105
116
Travis CI will attempt to obfuscate secrets in the job logs, yet since there are many ways to print them in the output there’s no guarantee all vulnerable data will be spotted and masked. Since Travis is a cloud CI/CD system, please be wary of associated risks and ways to minimize these. Please read also [Best Practices in Securing Your Data](/user/best-practices-security/).
0 commit comments