use new .drone.sig signature file

web/hook.go

@@ -8,6 +8,7 @@ import (
 	"strings"
 
 	"github.com/gin-gonic/gin"
+	"github.com/square/go-jose"
 
 	log "github.com/Sirupsen/logrus"
 	"github.com/drone/drone/bus"
@@ -31,6 +32,9 @@ func init() {
 		droneYml = ".drone.yml"
 	}
 	droneSec = fmt.Sprintf("%s.sec", strings.TrimSuffix(droneYml, filepath.Ext(droneYml)))
+	if os.Getenv("CANARY") == "true" {
+		droneSec = fmt.Sprintf("%s.sig", strings.TrimSuffix(droneYml, filepath.Ext(droneYml)))
+	}
 }
 
 var skipRe = regexp.MustCompile(`\[(?i:ci *skip|skip *ci)\]`)
@@ -214,25 +218,33 @@ func PostHook(c *gin.Context) {
 	// enabled using with the environment variable CANARY=true
 
 	if os.Getenv("CANARY") == "true" {
+
+		var signed bool
+		var verified bool
+
+		signature, err := jose.ParseSigned(string(sec))
+		if err == nil && len(sec) != 0 {
+			signed = true
+			output, err := signature.Verify(repo.Hash)
+			if err == nil && string(output) == string(raw) {
+				verified = true
+			}
+		}
+
 		bus.Publish(c, bus.NewBuildEvent(bus.Enqueued, repo, build))
 		for _, job := range jobs {
 			queue.Publish(c, &queue.Work{
+				Signed:    signed,
+				Verified:  verified,
 				User:      user,
 				Repo:      repo,
 				Build:     build,
 				BuildLast: last,
 				Job:       job,
-				Keys:      key,
 				Netrc:     netrc,
 				Yaml:      string(raw),
-				YamlEnc:   string(sec),
 				Secrets:   secs,
-				System: &model.System{
-					Link:      httputil.GetURL(c.Request),
-					Plugins:   strings.Split(os.Getenv("PLUGIN_FILTER"), " "),
-					Globals:   strings.Split(os.Getenv("PLUGIN_PARAMS"), " "),
-					Escalates: strings.Split(os.Getenv("ESCALATE_FILTER"), " "),
-				},
+				System:    &model.System{Link: httputil.GetURL(c.Request)},
 			})
 		}
 		return // EXIT NOT TO AVOID THE 0.4 ENGINE CODE BELOW