From 6ee2eeb71dab6f924db6208ce990a05b7ee4a2a2 Mon Sep 17 00:00:00 2001 From: Ivanna Lisetska Date: Fri, 6 Sep 2024 15:56:16 -0600 Subject: [PATCH 1/4] Update docs with verification-failure-behavior --- pages/agent/v3/signed_pipelines.md | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/pages/agent/v3/signed_pipelines.md b/pages/agent/v3/signed_pipelines.md index 689af656aa..c32949cecc 100644 --- a/pages/agent/v3/signed_pipelines.md +++ b/pages/agent/v3/signed_pipelines.md @@ -102,6 +102,14 @@ verification-jwks-file= This ensures that whenever those agents upload steps to Buildkite, they'll generate signatures using the private key you generated earlier. It also ensures that those agents verify the signatures of any steps they run, using the public key. +```ini +verification-failure-behavior= +``` + +This setting determines the BuildKite agent’s response when it receives a job without a proper signature. It specifies how strictly the agent should enforce signature verification for incoming jobs. The agent will warn about the missing signature but will still proceed with executing the job. If not explicitly specified, the default behavior is `block`, which will prevent any job without a signature from running, ensuring a secure pipeline environment by default. + + + On instances that verify jobs, add: ```ini From 3d0db32a91a2b1b58919a282c5ed5fe662774d40 Mon Sep 17 00:00:00 2001 From: ivannalisetska <155262606+ivannalisetska@users.noreply.github.com> Date: Mon, 9 Sep 2024 16:16:08 -0600 Subject: [PATCH 2/4] Update pages/agent/v3/signed_pipelines.md Co-authored-by: Josh Deprez --- pages/agent/v3/signed_pipelines.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pages/agent/v3/signed_pipelines.md b/pages/agent/v3/signed_pipelines.md index c32949cecc..dd39302bf5 100644 --- a/pages/agent/v3/signed_pipelines.md +++ b/pages/agent/v3/signed_pipelines.md @@ -106,7 +106,7 @@ This ensures that whenever those agents upload steps to Buildkite, they'll gener verification-failure-behavior= ``` -This setting determines the BuildKite agent’s response when it receives a job without a proper signature. It specifies how strictly the agent should enforce signature verification for incoming jobs. The agent will warn about the missing signature but will still proceed with executing the job. If not explicitly specified, the default behavior is `block`, which will prevent any job without a signature from running, ensuring a secure pipeline environment by default. +This setting determines the Buildkite agent’s response when it receives a job without a proper signature. It specifies how strictly the agent should enforce signature verification for incoming jobs. The agent will warn about the missing signature but will still proceed with executing the job. If not explicitly specified, the default behavior is `block`, which will prevent any job without a signature from running, ensuring a secure pipeline environment by default. From a5bfbf77c96a23437c1cc49223c34627b2b69595 Mon Sep 17 00:00:00 2001 From: Giles Gas Date: Wed, 11 Sep 2024 15:45:41 +1000 Subject: [PATCH 3/4] Update pages/agent/v3/signed_pipelines.md Co-authored-by: Josh Deprez --- pages/agent/v3/signed_pipelines.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pages/agent/v3/signed_pipelines.md b/pages/agent/v3/signed_pipelines.md index dd39302bf5..9dc749559c 100644 --- a/pages/agent/v3/signed_pipelines.md +++ b/pages/agent/v3/signed_pipelines.md @@ -106,7 +106,7 @@ This ensures that whenever those agents upload steps to Buildkite, they'll gener verification-failure-behavior= ``` -This setting determines the Buildkite agent’s response when it receives a job without a proper signature. It specifies how strictly the agent should enforce signature verification for incoming jobs. The agent will warn about the missing signature but will still proceed with executing the job. If not explicitly specified, the default behavior is `block`, which will prevent any job without a signature from running, ensuring a secure pipeline environment by default. +This setting determines the Buildkite agent’s response when it receives a job without a proper signature. It specifies how strictly the agent should enforce signature verification for incoming jobs. The agent will warn about missing or invalid signatures, but will still proceed with executing the job. If not explicitly specified, the default behavior is `block`, which will prevent any job without a valid signature from running, ensuring a secure pipeline environment by default. From 97d1e8ddd0de364a68928353425a3a5d4b12642a Mon Sep 17 00:00:00 2001 From: Giles Gas Date: Thu, 12 Sep 2024 09:07:27 +1000 Subject: [PATCH 4/4] Update pages/agent/v3/signed_pipelines.md --- pages/agent/v3/signed_pipelines.md | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/pages/agent/v3/signed_pipelines.md b/pages/agent/v3/signed_pipelines.md index 9dc749559c..013155a01f 100644 --- a/pages/agent/v3/signed_pipelines.md +++ b/pages/agent/v3/signed_pipelines.md @@ -106,9 +106,7 @@ This ensures that whenever those agents upload steps to Buildkite, they'll gener verification-failure-behavior= ``` -This setting determines the Buildkite agent’s response when it receives a job without a proper signature. It specifies how strictly the agent should enforce signature verification for incoming jobs. The agent will warn about missing or invalid signatures, but will still proceed with executing the job. If not explicitly specified, the default behavior is `block`, which will prevent any job without a valid signature from running, ensuring a secure pipeline environment by default. - - +This setting determines the Buildkite agent's response when it receives a job without a proper signature, and also specifies how strictly the agent should enforce signature verification for incoming jobs. The agent will warn about missing or invalid signatures, but will still proceed to execute the job. If not explicitly specified, the default behavior is `block`, which prevents any job without a valid signature from running, ensuring a secure pipeline environment by default. On instances that verify jobs, add: