TURBO_REMOTE_CACHE_SIGNATURE_KEY
Turborepo can sign artifacts with a secret key before uploading them to the Remote Cache
Motivation
Please outline the motivation for the proposal.
Turborepo uses HMAC-SHA256 signatures on artifacts using a secret key you provide. Turborepo will verify the Remote Cache artifacts' integrity and authenticity when they're downloaded. Any artifacts that fail to verify will be ignored and treated as a cache miss by Turborepo.
To enable this feature, set the remoteCache options on your turbo.json config to include signature: true. Then specify your secret key by declaring the TURBO_REMOTE_CACHE_SIGNATURE_KEY environment variable.
Example
To utilize the TURBO_REMOTE_CACHE_SIGNATURE_KEY which will increase the security of the remote cache, the project config will need to be updated to include the following:
🚀 Feature Proposal
TURBO_REMOTE_CACHE_SIGNATURE_KEYTurborepo can sign artifacts with a secret key before uploading them to the Remote Cache
Motivation
Please outline the motivation for the proposal.
Turborepo uses
HMAC-SHA256signatures on artifacts using a secret key you provide. Turborepo will verify the Remote Cache artifacts' integrity and authenticity when they're downloaded. Any artifacts that fail to verify will be ignored and treated as a cache miss by Turborepo.To enable this feature, set the remoteCache options on your turbo.json config to include signature: true. Then specify your secret key by declaring the TURBO_REMOTE_CACHE_SIGNATURE_KEY environment variable.
Example
To utilize the
TURBO_REMOTE_CACHE_SIGNATURE_KEYwhich will increase the security of the remote cache, the project config will need to be updated to include the following:read more https://turbo.build/repo/docs/core-concepts/remote-caching#artifact-integrity-and-authenticity-verification