Signed drone file invalid after using an extension

We’re signing our drone files in a few repos to see how this feature works for us. It’s a great feature and really easy to use! However, we think we found an issue coming from our particular use of Drone.

We have an extension that runs and manipulates the drone file. When this happens, I imagine, the drone file is no longer valid. This is what we think we’re observing. Every pipeline run needs to be re-approved manually. That’s not our desired behavior.

Does pipeline signature verification happen after our extensions? Can we validate that file in the extension ourselves, then re-sign it, and would that solve the problem. I’m thinking that won’t solve it because we’re injecting secrets into the pipeline and these secrets are unique per pipeline run.

Any ideas?

signatures are not currently compatible with yaml files that are generated by or manipulated by an extension.

What if our extension could re-sign the file after it modified it? Would that get us around the manual approval gate? We’re thinking we could:

  • Check if the yaml is signed
  • Verify the signature ourselves
  • Modify the file
  • Re-sign the file