github.com/argoproj/argo-cd@v1.8.7/docs/user-guide/gpg-verification.md (about) 1 # GnuPG signature verification 2 3 ## Overview 4 5 As of v1.7 it is possible to configure ArgoCD to only sync against commits 6 that are signed in Git using GnuPG. Signature verification is configured on 7 project level. 8 9 If a project is configured to enforce signature verification, all applications 10 associated with this project must have the commits in the source repositories 11 signed with a GnuPG public key known to ArgoCD. ArgoCD will refuse to sync to 12 any revision that does not have a valid signature made by one of the configured 13 keys. The controller will emit a `ResourceComparison` error if it tries to sync 14 to a revision that is either not signed, or is signed by an unknown or not 15 allowed public key. 16 17 By default, signature verification is enabled but not enforced. If you wish to 18 completely disable the GnuPG functionality in ArgoCD, you have to set the 19 environment variable `ARGOCD_GPG_ENABLED` to `"false"` in the pod templates of 20 the `argocd-server`, `argocd-repo-server` and `argocd-application-controller` 21 deployment manifests. 22 23 Verification of GnuPG signatures is only supported with Git repositories. It is 24 not possible using Helm repositories. 25 26 !!!note "A few words about trust" 27 ArgoCD uses a very simple trust model for the keys you import: Once the key 28 is imported, ArgoCD will trust it. ArgoCD does not support more complex 29 trust models, and it is not necessary (nor possible) to sign the public keys 30 you are going to import into ArgoCD. 31 32 ## Signature verification targets 33 34 If signature verification is enforced, ArgoCD will verify the signature using 35 following strategy: 36 37 * If `target revision` is a pointer to a commit object (i.e. a branch name, the 38 name of a reference such as `HEAD` or a commit SHA), ArgoCD will perform the 39 signature verification on the commit object the name points to, i.e. a commit. 40 41 * If `target revision` resolves to a tag and the tag is a lightweight tag, the 42 behaviour is same as if `target revision` would be a pointer to a commit 43 object. However, if the tag is annotated, the target revision will point to 44 a *tag* object and thus, the signature verification is performed on the tag 45 object, i.e. the tag itself must be signed (using `git tag -s`). 46 47 ## Enforcing signature verification 48 49 To configure enforcing of signature verification, the following steps must be 50 performed: 51 52 * Import the GnuPG public key(s) used for signing commits in ArgoCD 53 * Configure a project to enforce signature verification for given keys 54 55 Once you have configured one or more keys to be required for verification for 56 a given project, enforcement is active for all applications associated with 57 this project. 58 59 !!!warning 60 If signature verification is enforced, you will not be able to sync from 61 local sources (i.e. `argocd app sync --local`) anymore. 62 63 ## Importing GnuPG public keys 64 65 You can configure the GnuPG public keys that ArgoCD will use for verification 66 of commit signatures using either the CLI, the web UI or configuring it using 67 declarative setup. 68 69 !!!note 70 After you have imported a GnuPG key, it may take a while until the key is 71 propagated within the cluster, even if listed as configured. If you still 72 cannot sync to commits signed by the already imported key, please see the 73 troubleshooting section below. 74 75 Users wanting to manage the GnuPG public key configuration require the RBAC 76 permissions for `gpgkeys` resources. 77 78 ### Manage public keys using the CLI 79 80 To configure GnuPG public keys using the CLI, use the `argocd gpg` command. 81 82 #### Listing all configured keys 83 84 To list all configured keys known to ArgoCD, use the `argocd gpg list` 85 sub-command: 86 87 ```bash 88 argocd gpg list 89 ``` 90 91 #### Show information about a certain key 92 93 To get information about a specific key, use the `argocd gpg get` sub-command: 94 95 ```bash 96 argocd gpg get <key-id> 97 ``` 98 99 #### Importing a key 100 101 To import a new key to ArgoCD, use the `argocd gpg add` sub-command: 102 103 ```bash 104 argocd gpg add --from <path-to-key> 105 ``` 106 107 The key to be imported can be either in binary or ASCII-armored format. 108 109 #### Removing a key from configuration 110 111 To remove a previously configured key from the configuration, use the 112 `argocd gpg rm` sub-command: 113 114 ```bash 115 argocd gpg rm <key-id> 116 ``` 117 118 ### Manage public keys using the Web UI 119 120 Basic key management functionality for listing, importing and removing GnuPG 121 public keys is implemented in the Web UI. You can find the configuration 122 module from the **Settings** page in the **GnuPG keys** module. 123 124 Please note that when you configure keys using the Web UI, the key must be 125 imported in ASCII armored format for now. 126 127 ### Manage public keys in declarative setup 128 129 ArgoCD stores public keys internally in the `argocd-gpg-keys-cm` ConfigMap 130 resource, with the public GnuPG key's ID as its name and the ASCII armored 131 key data as string value, i.e. the entry for the GitHub's web-flow signing 132 key would look like follows: 133 134 ```yaml 135 4AEE18F83AFDEB23: | 136 -----BEGIN PGP PUBLIC KEY BLOCK----- 137 138 mQENBFmUaEEBCACzXTDt6ZnyaVtueZASBzgnAmK13q9Urgch+sKYeIhdymjuMQta 139 x15OklctmrZtqre5kwPUosG3/B2/ikuPYElcHgGPL4uL5Em6S5C/oozfkYzhwRrT 140 SQzvYjsE4I34To4UdE9KA97wrQjGoz2Bx72WDLyWwctD3DKQtYeHXswXXtXwKfjQ 141 7Fy4+Bf5IPh76dA8NJ6UtjjLIDlKqdxLW4atHe6xWFaJ+XdLUtsAroZcXBeWDCPa 142 buXCDscJcLJRKZVc62gOZXXtPfoHqvUPp3nuLA4YjH9bphbrMWMf810Wxz9JTd3v 143 yWgGqNY0zbBqeZoGv+TuExlRHT8ASGFS9SVDABEBAAG0NUdpdEh1YiAod2ViLWZs 144 b3cgY29tbWl0IHNpZ25pbmcpIDxub3JlcGx5QGdpdGh1Yi5jb20+iQEiBBMBCAAW 145 BQJZlGhBCRBK7hj4Ov3rIwIbAwIZAQAAmQEH/iATWFmi2oxlBh3wAsySNCNV4IPf 146 DDMeh6j80WT7cgoX7V7xqJOxrfrqPEthQ3hgHIm7b5MPQlUr2q+UPL22t/I+ESF6 147 9b0QWLFSMJbMSk+BXkvSjH9q8jAO0986/pShPV5DU2sMxnx4LfLfHNhTzjXKokws 148 +8ptJ8uhMNIDXfXuzkZHIxoXk3rNcjDN5c5X+sK8UBRH092BIJWCOfaQt7v7wig5 149 4Ra28pM9GbHKXVNxmdLpCFyzvyMuCmINYYADsC848QQFFwnd4EQnupo6QvhEVx1O 150 j7wDwvuH5dCrLuLwtwXaQh0onG4583p0LGms2Mf5F+Ick6o/4peOlBoZz48= 151 =Bvzs 152 -----END PGP PUBLIC KEY BLOCK----- 153 ``` 154 155 ## Configuring a project to enforce signature verification 156 157 Once you have imported the GnuPG keys to ArgoCD, you must now configure the 158 project to enforce the verification of commit signatures with the imported 159 keys. 160 161 ### Configuring using the CLI 162 163 #### Adding a key ID to list of allowed keys 164 165 To add a key ID to the list of allowed GnuPG keys for a project, you can use 166 the `argocd proj add-signature-key` command, i.e. the following command would 167 add the key ID `4AEE18F83AFDEB23` to the project named `myproj`: 168 169 ```bash 170 argocd proj add-signature-key myproj 4AEE18F83AFDEB23 171 ``` 172 173 #### Removing a key ID from the list of allowed keys 174 175 Similarily, you can remove a key ID from the list of allowed GnuPG keys for a 176 project using the `argocd proj remove-signature-key` command, i.e. to remove 177 the key added above from project `myproj`, use the command: 178 179 ```bash 180 argocd proj remove-signature-key myproj 4AEE18F83AFDEB23 181 ``` 182 183 #### Showing allowed key IDs for a project 184 185 To see which key IDs are allowed for a given project, you can inspect the 186 output of the `argocd proj get` command, i.e for a project named `gpg`: 187 188 ```bash 189 $ argocd proj get gpg 190 Name: gpg 191 Description: GnuPG verification 192 Destinations: *,* 193 Repositories: * 194 Allowed Cluster Resources: */* 195 Denied Namespaced Resources: <none> 196 Signature keys: 4AEE18F83AFDEB23, 07E34825A909B250 197 Orphaned Resources: disabled 198 ``` 199 200 #### Override list of key IDs 201 202 You can also explicitly set the currently allowed keys with one or more new keys 203 using the `argocd proj set` command in combination with the `--signature-keys` 204 flag, which you can use to specify a comma separated list of allowed key IDs: 205 206 ```bash 207 argocd proj set myproj --signature-keys 4AEE18F83AFDEB23,07E34825A909B250 208 ``` 209 210 The `--signature-keys` flag can also be used on project creation, i.e. the 211 `argocd proj create` command. 212 213 ### Configure using the Web UI 214 215 You can configure the GnuPG key IDs required for signature verification using 216 the web UI, in the Project configuration. Navigate to the **Settings** page 217 and select the **Projects** module, then click on the project you want to 218 configure. 219 220 From the project's details page, click **Edit** and find the 221 **Required signature keys** section, where you can add or remove the key IDs 222 for signature verification. After you have modified your project, click 223 **Update** to save the changes. 224 225 ### Configure using declarative setup 226 227 You can specify the key IDs required for signature verification in the project 228 manifest within the `signatureKeys` section, i.e: 229 230 ```yaml 231 apiVersion: argoproj.io/v1alpha1 232 kind: AppProject 233 metadata: 234 name: gpg 235 namespace: argocd 236 spec: 237 clusterResourceWhitelist: 238 - group: '*' 239 kind: '*' 240 description: GnuPG verification 241 destinations: 242 - namespace: '*' 243 server: '*' 244 namespaceResourceWhitelist: 245 - group: '*' 246 kind: '*' 247 signatureKeys: 248 - keyID: 4AEE18F83AFDEB23 249 sourceRepos: 250 - '*' 251 ``` 252 253 `signatureKeys` is an array of `SignatureKey` objects, whose only property is 254 `keyID` at the moment. 255 256 ## Troubleshooting 257 258 ### Disabling the feature 259 260 The GnuPG feature can be completely disabled if desired. In order to disable it, 261 set the environment variable `ARGOCD_GPG_ENABLED` to `false` for the pod 262 templates of the `argocd-server`, `argocd-repo-server` and 263 `argocd-application-controller` deployments. 264 265 After the pods have been restarted, the GnuPG feature is disabled. 266 267 ### GnuPG key ring 268 269 The GnuPG key ring used for signature verification is maintained within the 270 pods of `argocd-repo-server`. The keys in the keyring are synchronized to the 271 configuration stored in the `argocd-gpg-keys-cm` ConfigMap resource, which is 272 volume-mounted to the `argocd-repo-server` pods. 273 274 !!!note 275 The GnuPG key ring in the pods is transient and gets recreated from the 276 configuration on each restart of the pods. You should never add or remove 277 keys manually to the key ring, because your changes will be lost. Also, 278 any of the private keys found in the key ring are transient and will be 279 regenerated upon each restart. The private key is only used to build the 280 trust DB for the running pod. 281 282 To check whether the keys are actually in sync, you can `kubectl exec` into the 283 repository server's pods and inspect the key ring, which is located at path 284 `/app/config/gpg/keys` 285 286 ```bash 287 $ kubectl exec -it argocd-repo-server-7d6bdfdf6d-hzqkg bash 288 argocd@argocd-repo-server-7d6bdfdf6d-hzqkg:~$ GNUPGHOME=/app/config/gpg/keys gpg --list-keys 289 /app/config/gpg/keys/pubring.kbx 290 -------------------------------- 291 pub rsa2048 2020-06-15 [SC] [expires: 2020-12-12] 292 D48F075D818A813C436914BC9324F0D2144753B1 293 uid [ultimate] Anon Ymous (ArgoCD key signing key) <noreply@argoproj.io> 294 295 pub rsa2048 2017-08-16 [SC] 296 5DE3E0509C47EA3CF04A42D34AEE18F83AFDEB23 297 uid [ultimate] GitHub (web-flow commit signing) <noreply@github.com> 298 299 argocd@argocd-repo-server-7d6bdfdf6d-hzqkg:~$ 300 ``` 301 302 If the key ring stays out of sync with your configuration after you have added 303 or removed keys for a longer period of time, you might want to restart your 304 `argocd-repo-server` pods. If such a problem persists, please consider raising 305 a bug report.