- you have CircleCI running automation which deploys code
- you use Git and sign your commits or tags with GPG
- an attacker compromises your Git repo, commits malicious code, and CircleCI automatically deploys it. Thanks!
Signing Git commits is really great but not much good if they can’t be verified. Of course one could add a verification step in circle.yml, but an attacker could simply remove that step.
Ideally, CircleCI would allow a project or organization to be configured with a keyring of authorized users. It could further be configured to refuse some or all builds if commits or tags are not signed by an authorized user. Obviously an unauthorized user should not be able to change this configuration with a Git commit. Ideally it should also be possible to require strong authentication (like MFA) to change these configurations.
Of course one would now be trusting CircleCI, but in this scenario you are already doing that. But with this feature you would be able to eliminate Git from the number of things which could be trivially compromised in order to deploy arbitrary code, which is an improvement.