How can I sign Starlark or Jsonnet configs?

I need to sign a .drone.jsonnet configuration file, and potentially a Starlark config also (we are currently using both, although might standardize on the former). How can I do this? When I tried, it looked as if the server tried to interpret the Jsonnet code as YAML, and failed to parse.

Update: I also tried the following:

  1. Convert Jsonnet to YAML
  2. Sign YAML
  3. Put signature in Jsonnet code

That approach doesn’t work either, the server doesn’t accept the signature.

the system does not currently support signing non-yaml files

OK thanks for clarifying that. Can we expect this to be implemented anytime soon, or might it eventually be something we could provide a patch for ourselves?

For non-yaml files this would need to be handled differently. We would need to store the signature in a separate file. For example, if you had a drone.jsonnet file we would store the signature in separate a drone.jsonnet.sig file. This is not something that is on our current roadmap, but we can send this over to our product team for consideration and prioritization.

1 Like

If you could try to prioritize and implement this, it would be fantastic. We plan to use Jsonnet heavily at Grafana Labs to configure Drone and we might need signing, so this would be very helpful to us.