Signed Pipelines fail to verify when using interpolated environment variables #2742
Comments
|
Hey @fruechel-canva – I can see that @patrobinson has reached out to investigate your particular case here, so we can see where that support thread leads. In general, signing of runtime env var interpolation (e.g. escaped env vars with However normal env var interpolation (where the agent replaces |
|
👋 since any script called by the yaml could interpolate env vars, this seems like a bit of an arbitrary limitation. At the very least perhaps the error message could be improved if someone tries this? It took me quite a bit of experimentation to figure out this is what was causing |
|
yo! i (mis)informed @dabarrell on his reply above and am here to correct my mistake - you absolutely can (or should be able to!) use the reason this is okay is that the interpolation happens after the signature check, rather than before - the signature verification is basically just checking that the text of the command is |
Is your feature request related to a problem? Please describe.
Currently, signed pipelines fail to verify if uploading a definition that contains a variable such as
${VAR_NAME}in the command.Describe the solution you'd like
Variables are supported in pipelines with risks and tradeoffs documented and mitigation options available.
Describe alternatives you've considered
Not using variables at all or only interpolating them from within wrapper scripts is a significant effort that would require rework across a large number of pipelines.
Additional context
There's some complexity in this because simply accepting any variable content could lead to a trivial bypass of the signature while evaluating the variable at signature time might lead to a different result compared to a runtime evaluation. However, the current situation is an edge case the pipeline signature feature has not addressed yet, so some explicit solution would be needed here.
The text was updated successfully, but these errors were encountered: