Skip to content

Commit

Permalink
Add support for OPA bundle signatures
Browse files Browse the repository at this point in the history 
These changes add support for digital signatures for policy bundles which
can be used to verify their authenticity.

Bundle signature verification involves the following steps:

* Verify the JWT signature
* Verify the files in the JWT payload exist in the bundle
* Verify the file content of the files in bundle match with those in the payload

This commit adds a new `sign` command to generate a digital signature for policy bundles.

For more details, run "opa sign --help"

The signatures generated by the 'sign' command can be verified by the
'build' command. The 'build' command can also sign the bundle it generates.

The 'run' command can verify a signed bundle or skip verification altogether.

OPA 'sign', 'build' and 'run' can be used to
sign/verify bundles in bundle mode (--bundle) mode only. Verification
can be also be performed when bundle downloading is enabled.

Fixes: #1757

Signed-off-by: Ashutosh Narkar <anarkar4387@gmail.com>
  • Loading branch information
@ashutosh-narkar @tsandall
ashutosh-narkar authored and tsandall committed Jul 14, 2020
1 parent d22fa41 commit 338583c
Show file tree
Hide file tree
Showing 91 changed files with 4,236 additions and 304 deletions.
13 changes: 13 additions & 0 deletions CHANGELOG.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,19 @@ project adheres to [Semantic Versioning](http://semver.org/).

## Unreleased

### Features

#### Bundle Signing

OPA now support digital signatures for policy bundles. Specifically, a signed bundle is a normal OPA bundle that
includes a file named ".signatures.json" that dictates which files should be included in the bundle, what their SHA
hashes are, and of course is cryptographically secure. When OPA receives a new bundle, it checks that it has been
properly signed using a (public) key that OPA has been configured with out-of-band. Only if that verification succeeds
does OPA activate the new bundle; otherwise, OPA continues using its existing bundle and reports an activation
failure via the status API and error logging. For more information see https://openpolicyagent.org/docs/latest/management/#signing.
Thanks to @ashish246 who co-designed the feature and provided valuable input to the development process with his
proof-of-concept [#1757](https://github.com/open-policy-agent/opa/issues/1757).

## 0.21.1

This release fixes [#2497](https://github.com/open-policy-agent/opa/issues/2497) where the comprehension indexing optimization produced incorrect results for nested comprehensions that close over variables in the outer scope. This issue only affects policies containing nested comprehensions that are recognized by the indexer (which is a relatively small percentage).
Expand Down
Loading

0 comments on commit 338583c

Please sign in to comment.