TURBO_REMOTE_CACHE_SIGNATURE_KEY support #394
Labels
enhancement
New feature or request
Comments
|
Hi all, I am happy to pick this up and get this feature over the line. I think it's important we keep aligned with upstream, specifically around security |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
🚀 Feature Proposal
TURBO_REMOTE_CACHE_SIGNATURE_KEYTurborepo can sign artifacts with a secret key before uploading them to the Remote Cache
Motivation
Please outline the motivation for the proposal.
Turborepo uses
HMAC-SHA256signatures on artifacts using a secret key you provide. Turborepo will verify the Remote Cache artifacts' integrity and authenticity when they're downloaded. Any artifacts that fail to verify will be ignored and treated as a cache miss by Turborepo.To enable this feature, set the remoteCache options on your turbo.json config to include signature: true. Then specify your secret key by declaring the TURBO_REMOTE_CACHE_SIGNATURE_KEY environment variable.
Example
To utilize the
TURBO_REMOTE_CACHE_SIGNATURE_KEYwhich will increase the security of the remote cache, the project config will need to be updated to include the following:{ "remoteCache": { "signature": true } }read more
https://turbo.build/repo/docs/core-concepts/remote-caching#artifact-integrity-and-authenticity-verification
The text was updated successfully, but these errors were encountered: