What I Am Tasked With:
Authenticate a merge in CI based on the commiter’s PGP signing key.
What we’ve been doing:
CI executes shell that
- pulls public pgp keys from a repo, adds them in the runner’s keyring
- If the commit matches a known key, continue, else fail.
What’s wrong with that:
- Doesn’t scale
- Rebuilding this scheme to allow for the concept of separation of duties is ugly.
What about [gitlab/github] native tools for managing this process
- Last resort, for complicated reasons
So I thought about keycloak.
Is it doable to curl from shell with a values ($commit, $respository_name), talk to a realm and get approval based on a stored public key? Something like
realm: pgp
User:Bob
Key: C874011F0AB405110D02105534365D947228383831
Repositories : company-web, company-sql
User:Carl
Key: C874011F0AB4087754D02134365D94722893838391
Repositories : company-web
Pseudo:
if [bob / company-sql] then; OK
if [carl / company-sql] then: FAIL
That would allow me to
- Manage public keys in a central location
- Allow for the concept of separation of duties
- Allow me to replace 160 lines of shell with a few lines of curl.