feat: sign OTP build index files alongside builds.txt#264
Open
mvanhorn wants to merge 1 commit into
Open
Conversation
Adds optional SHA-512 signing of builds.txt via BOB_BUILDS_SIGN_KEY (path to a PEM private key). When set, generate_builds_txt/2 uploads a base64-encoded signature as a builds.txt.signed sibling with identical cache-control and surrogate-key metadata; Fastly purge keys cover both files atomically. Fixes hexpm#237
ericmj
reviewed
Jun 16, 2026
| try do | ||
| File.write!(tmp, content) | ||
|
|
||
| case System.cmd("openssl", ["dgst", "-sha512", "-sign", pem_path, tmp], |
Member
There was a problem hiding this comment.
Could we use :public_key.sign/3 instead?
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds optional SHA-512 signing of OTP build index files. When
BOB_BUILDS_SIGN_KEYis set to a PEM private key path,generate_builds_txt/2uploads a base64-encodedbuilds.txt.signedsibling to S3 alongside the existingbuilds.txt, using identical cache-control and surrogate-key metadata. Fastly purge keys are extended to cover both files atomically. When the env var is absent the behavior is unchanged.Why this matters
erlef/setup-beamdownloads OTP builds from builds.hex.pm and currently has no way to verify the authenticity of the build index (see #237). Signing with a server-held private key lets consumers verify the index using the corresponding public key, adding a supply-chain integrity layer without changing any existing upload paths or requiring consumer changes to the download flow.Changes
config/runtime.exs- readsBOB_BUILDS_SIGN_KEY(optional, nil when absent)lib/bob/store.ex- addssign_content/2: shells toopenssl dgst -sha512 -signand returns a base64-encoded signature, ornilwhen no key is configuredlib/bob/artifacts.ex-generate_builds_txt/2signs content and uploadsbuilds.txt.signedwhen a key is present;surrogate_keys/2andpurge_keys/3include the.signedpath so Fastly invalidations are atomictest/bob/store_test.exs- tests for nil key passthrough, base64 output, and openssl round-trip verificationtest/bob/artifacts_test.exs- tests for no-signed-upload without key, and signed upload with key stubbed in FakeHttpClientFixes #237