Step 4 - Verify Git Commit

OpenShift Supply Chain

- Thomas Jungbauer Thomas Jungbauer ( Lastmod: 2024-05-08 ) - 3 min read

Besides checking the source code quality, we should also verify if the commit into Git was done by someone/something we trust. It is a good practice to sign all commits to Git. You need to prepare your Git account and create trusted certificates.

I will not describe how exactly you need to configure Git to sign your commit. Verify the following link to learn more about Signing Commits

Goals

The goals of this step are:

  • Verify if the last commit has been signed

Prerequisites

  • Signing public key

  • Configured Git to verify your gpg signature

When your commit is signed, Git will show that:

Pipeline
Figure 1. Pipeline

Steps

  1. Create the following Secret that contains your PUBLIC key.

    kind: Secret
apiVersion: v1
metadata:
  name: gpg-public-key
  namespace: ci
data:
  public.key: >-
    <Base64 PUBLIC GPG KEY> (1)
type: Opaque
    1Public key, containing BEGIN/END lines base64 encoded.

  2. Create the following Task:

    apiVersion: tekton.dev/v1
kind: Task
metadata:
  name: verify-source-code-commit-signature
  namespace: ci
spec:
  description: This task verifies the latest commit and signature against the gpg
    public key
  params:
    - default: 'registry.redhat.io/openshift-pipelines/pipelines-git-init-rhel8:v1.10.4-4'
      name: gitInit
      type: string
  steps:
  - computeResources: {}
    image: $(params.gitInit)
    name: git-verify
    script: |
      set -x (1)

      gpg --import /workspace/secrets/public.key

      git config --global --add safe.directory /workspace/repository

      git verify-commit HEAD || (echo "Unable to verify commit at HEAD!" && exit 1)
    workingDir: /workspace/repository
  workspaces:
  - name: repository
  - name: secrets (2)
    1The script to verify the signature of the commit,
    2The workspace that mounts the Secret containing the gpg key,

  3. Modify the TriggerTemplate and add the following 3 lines

            workspaces:
...
          - name: secrets
            secret:
              secretName: gpg-public-key (1)
    1The name of the Secret where the public key can be found.

  4. Update the pipeline to execute the task verify-commit-signature, which is running in parallel to the SonarQube scan.

        - name: verify-commit-signature
      runAfter:
        - pull-source-code (1)
      taskRef:
        kind: Task
        name: verify-source-code-commit-signature (2)
      workspaces: (3)
        - name: repository
          workspace: shared-data
        - name: secrets
          workspace: secrets
  workspaces:
    ...
    - name: secrets (4)
    1This task runs after pull-source-code but in parallels with the SonarQube task.
    2Task reference
    3Workspaces that are used in this Task
    4Additional workspace for the Pipeline

The full pipeline objects now look like the following:

Expand me...

The status of the Pipeline now is:

Pipeline
Figure 2. Pipeline

Execute the Pipeline

Let’s update the README.md of our source code again to trigger another PipelineRun.

Now the 3rd task will verify if the commit was signed.

PipelineRun Details
Figure 3. PipelineRun Details

In the logs of the Task, we can see that the commit was signed and could be verified. See:

...
gpg: Good signature from "Thomas Jungbauer <tjungbau@redhat.com>"
...
Signature Verification
Figure 4. Signature Verification

Summary

At this stage we have a Pipeline, that pulls our code, does a code analysis, and verifies if the commit has been signed. The very next step is to build the image and push it into an Image Registry.

See Also:

  • What's new in OpenShift, 4.20 Edition

    This article covers news and updates in the OpenShift 4.20 release. We focus on points that got our attention, but this is not a complete summary of the release notes.

  • Red Hat Quay Registry - Integrate Keycloak

    This guide shows you how to configure Keycloak as an OpenID Connect (OIDC) provider for Red Hat Quay Registry. It covers what to configure in Keycloak, what to put into Quay’s config.yaml (or Operator config), how to verify the login flow, and how to switch your Quay initial/admin account (stored locally in Quay’s DB) to an admin user that authenticates via Keycloak.

  • A second look into the Kubernetes Gateway API on OpenShift

    This is our second look into the Kubernetes Gateway API an it’s integration into OpenShift. This post covers TLS configuration. The Kubernetes Gateway API is new implementation of the ingress, load balancing and service mesh API’s. See upstream for more information. Also the OpenShift documentation provides an overview of the Gateway API and it’s integration. We demonstrate how to add TLS to our Nginx deployment, how to implement a shared Gateway and finally how to implement HTTP to HTTPS redirection with the Gateway API. Furthermore we cover how HTTPRoute objects attach to Gateways and dive into ordering of HTTPRoute objects.

  • A first look into the Kubernetes Gateway API on OpenShift

    This blog post summarizes our first look into the Kubernetes Gateway API and how it is integrated in OpenShift.

  • Reusable Argo CD Application Helm Template

    When working with Argo CD at scale, you often find yourself creating similar Application manifests repeatedly. Each application needs the same basic structure but with different configurations for source repositories, destinations, and sync policies. Additionally, managing namespace metadata becomes tricky when you need to conditionally control whether Argo CD should manage namespace metadata based on sync options. In this article, I’ll walk you through a reusable Helm template that solves these challenges by providing a flexible, DRY (Don’t Repeat Yourself) approach to creating Argo CD Applications. This template is available in my public Helm Chart library and can easily be used by anyone.

Copyright © 2020 - 2025 Toni Schmidbauer & Thomas Jungbauer