-
New Feature
-
Resolution: Unresolved
-
Minor
I want to be able to configure Jenkins to run "git verify-commit HEAD" after checkout to ensure that the commit at the HEAD of master has been GPG signed. This allows the build server to ensure integrity of the repository, even if the repository host has been compromised.
Although current recommendations are to put "git verify-commit HEAD" in the build script as the first line after "checkout scm", this doesn't help with verifying that "Jenkinsfile" itself hasn't been tampered with, as commits on master are trusted by default. The only way to verify the commit before a pipeline starts using it would be for this plugin to add an additional behaviour to run "git verify-commit HEAD" before the pipeline starts. I'd imagine the implementation of the behaviour would be identical to "Git LFS pull after checkout", but with a different command.
I think for now it's reasonably okay to have to configure the GPG keyring on the Jenkins master, as I don't expect this feature will be used by a lot of people. But for us, it allows us to improve the security and integrity of our Git repositories, and ensure only code written by signed off by developers makes it through the normal build process.