Automated security check failing on PR integrated as a rebase #52637
Replies: 1 comment
-
|
Your check caught a real thing, and your reading of it is correct. PR #52334 was integrated by rebasing the author's three original commits straight onto master, so they kept their original unsigned state with the maintainer as committer, instead of the usual squash commit that GitHub creates and signs with its web-flow key. You can see the contrast on master right now:
Was it an error? Not a security one. Maintainers occasionally integrate a PR by rebasing/pushing from their own machine instead of using the GitHub merge button (to resolve conflicts locally, or to keep a multi-commit history intact). Done that way, the commits don't get GitHub's web-flow signature. Uncommon, legitimate, and it will happen again. On whether per-commit signature verification is a good gate, I'd gently push back, for two reasons:
What actually gives you supply-chain integrity for vcpkg:
So the intent is right (gate on provenance), but the specific signal is both noisier and weaker than gating on the signed release tag plus vcpkg's git-tree/SHA512 pinning. I'd switch the weekly job to: watch for a new signed tag -> verify the tag -> build at that tag. Hope that helps! |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
-
Hello everyone,
TL;DR: I automatically check for signatures on new commits and commits integrated straight as a rebase won't have one. Was it an error to integrate them like this or is my automated verification just a bad idea?
Long version:
I set up an automated job in my project that checks if there is a new release of vcpkg weekly to try and build it automatically if there is.
It also checks if every new commit is signed by a whitelisted signature to limit the risk that I build something corrupted / compromised.
It has worked decently for a couple months but today it failed.
The reason is that there was one PR (#52334) that was integrated, not as an automatically signed merged commit but as rebase integrating the original unsigned commits straight into the branch history.
Now, after checking manually, it seems like it was reviewed and there is probably no security issue here, but if it happens again, I don't know how or if I could or should automate such a check.
Since it seems to me that almost every single commit has been signed for a few years now (and even the tags for a couple months I believe), I wonder if the integration of unsigned commits like that was an error of if it something that is legitimate that could happen regularly.
I thank you deeply for all your work and I'm not throwing a stone at anyone, I'm just trying to understand if my "automated signature verification before integration" is a bad approach or if it might work.
Thanks a lot for your help and any insight :D
Aloïs
Beta Was this translation helpful? Give feedback.
All reactions