During the signing process of a pipeline:
A run key is generated for every run of the pipeline.
During the run, all artifacts (
pipeInfo.json) are signed with the private key.
The private key is discarded at the end of the run.
Metadata for the run that generated the artifact is stored as a tag for the artifact.
During the verification stage, a public key is used to verify the signature.
For each run, files containing comprehensive metadata (*.json) and corresponding signature files (*.json.sig) are uploaded to Artifactory. This provides a way to trace the entire path of a pipeline. Now any process that needs to verify can verify this in addition to cross-referencing the pipeInfo.