We’re signing our drone files in a few repos to see how this feature works for us. It’s a great feature and really easy to use! However, we think we found an issue coming from our particular use of Drone.
We have an extension that runs and manipulates the drone file. When this happens, I imagine, the drone file is no longer valid. This is what we think we’re observing. Every pipeline run needs to be re-approved manually. That’s not our desired behavior.
Does pipeline signature verification happen after our extensions? Can we validate that file in the extension ourselves, then re-sign it, and would that solve the problem. I’m thinking that won’t solve it because we’re injecting secrets into the pipeline and these secrets are unique per pipeline run.