Skip to content
Switch branches/tags
Go to file
Cannot retrieve contributors at this time
date title author weight toc aliases description
2000-01-01 00:00:00 +0000
Sign your configuration file to prevent tampering.

You can optionally sign your configuration file to verify authenticity and prevent tampering. This is useful if your repository is public and you need to prevent unauthorized changes to your configuration file from third-party pull requests.

If a user modifies the configuration and signature verification fails, the pipeline is blocked pending manual approval by an authorized user with write or administrative access to the repository.

Please note that only Yaml files can be signed and verified. The system cannot sign and verify Starlark or Jsonnet files.

Enforcing Signatures

To enforce signature verification you need to enable Protected mode for your repository. Navigate to your repository Settings screen and check the Protected checkbox.

Storing Signatures

Signatures are stored in the Yaml configuration file as a signature resource. The signature resource provides an hmac signature of your configuration.

{{< highlight text "linenos=table,hl_lines=14-16" >}}

kind: pipeline type: docker name: default


  • name: build image: golang commands:
    • go build
    • go test

kind: signature hmac: F10E2821BBBEA527EA02200352313BC059445190

... {{< / highlight >}}

Calculating Signatures

The contents of each yaml resource, excluding any existing signature resources, are signed using a 256-bit secret key. The secret key is unique per-repository, and never leaves the Drone server.

Creating Signatures

The signature is created using the Drone command line utility. This [command]({{< relref "/cli/" >}}) makes an authenticated request to the Drone server, posting your yaml configuration file, to calculate and return the hmac signature.

Example command:

$ drone sign octocat/hello-world --save
Please note that you must re-generate the signature any time the configuration file is modified.