CaLxCyMru
commented
3 weeks ago Hi all, I am happy to pick this up and get this feature over the line. I think it's important we keep aligned with upstream, specifically around security
Open chintan9 opened 5 months ago
CaLxCyMru
commented
3 weeks ago Hi all, I am happy to pick this up and get this feature over the line. I think it's important we keep aligned with upstream, specifically around security
🚀 Feature Proposal
TURBO_REMOTE_CACHE_SIGNATURE_KEYTurborepo can sign artifacts with a secret key before uploading them to the Remote Cache
Motivation
Please outline the motivation for the proposal.
Turborepo uses
HMAC-SHA256signatures on artifacts using a secret key you provide. Turborepo will verify the Remote Cache artifacts' integrity and authenticity when they're downloaded. Any artifacts that fail to verify will be ignored and treated as a cache miss by Turborepo.To enable this feature, set the remoteCache options on your turbo.json config to include signature: true. Then specify your secret key by declaring the TURBO_REMOTE_CACHE_SIGNATURE_KEY environment variable.
Example
To utilize the
TURBO_REMOTE_CACHE_SIGNATURE_KEYwhich will increase the security of the remote cache, the project config will need to be updated to include the following:read more https://turbo.build/repo/docs/core-concepts/remote-caching#artifact-integrity-and-authenticity-verification