store signature and verification in database

Makefile

@@ -27,7 +27,7 @@ gen_migrations:
 build: build_static
 
 build_static:
-	cd drone && go build --ldflags '-extldflags "-static" -X github.com/drone/drone/version.VersionDev=$(CI_BUILD_NUMBER)' -o drone
+	cd drone && go build --ldflags '-extldflags "-static" -X github.com/drone/drone/version.VersionDev=$(DRONE_BUILD_NUMBER)' -o drone
 
 test:
 	go test -cover $(PACKAGES)

model/build.go

@@ -24,6 +24,8 @@ type Build struct {
 	Avatar    string `json:"author_avatar" meddler:"build_avatar"`
 	Email     string `json:"author_email"  meddler:"build_email"`
 	Link      string `json:"link_url"      meddler:"build_link"`
+	Signed    bool   `json:"signed"        meddler:"build_signed"`
+	Verified  bool   `json:"verified"      meddler:"build_verified"`
 }
 
 type BuildGroup struct {

server/hook.go

@@ -157,6 +157,23 @@ func PostHook(c *gin.Context) {
 		return
 	}
 
+	signature, err := jose.ParseSigned(string(sec))
+	if err != nil {
+		log.Debugf("cannot parse .drone.yml.sig file. %s", err)
+	} else if len(sec) == 0 {
+		log.Debugf("cannot parse .drone.yml.sig file. empty file")
+	} else {
+		build.Signed = true
+		output, err := signature.Verify([]byte(repo.Hash))
+		if err != nil {
+			log.Debugf("cannot verify .drone.yml.sig file. %s", err)
+		} else if string(output) != string(raw) {
+			log.Debugf("cannot verify .drone.yml.sig file. no match")
+		} else {
+			build.Verified = true
+		}
+	}
+
 	// update some build fields
 	build.Status = model.StatusPending
 	build.RepoID = repo.ID
@@ -194,33 +211,11 @@ func PostHook(c *gin.Context) {
 		log.Errorf("Error getting secrets for %s#%d. %s", repo.FullName, build.Number, err)
 	}
 
-	var signed bool
-	var verified bool
-
-	signature, err := jose.ParseSigned(string(sec))
-	if err != nil {
-		log.Debugf("cannot parse .drone.yml.sig file. %s", err)
-	} else if len(sec) == 0 {
-		log.Debugf("cannot parse .drone.yml.sig file. empty file")
-	} else {
-		signed = true
-		output, err := signature.Verify([]byte(repo.Hash))
-		if err != nil {
-			log.Debugf("cannot verify .drone.yml.sig file. %s", err)
-		} else if string(output) != string(raw) {
-			log.Debugf("cannot verify .drone.yml.sig file. no match")
-		} else {
-			verified = true
-		}
-	}
-
-	log.Debugf(".drone.yml is signed=%v and verified=%v", signed, verified)
-
 	bus.Publish(c, bus.NewBuildEvent(bus.Enqueued, repo, build))
 	for _, job := range jobs {
 		queue.Publish(c, &queue.Work{
-			Signed:    signed,
+			Signed:    build.Signed,
-			Verified:  verified,
+			Verified:  build.Verified,
 			User:      user,
 			Repo:      repo,
 			Build:     build,

store/datastore/ddl/mysql/5.sql

@@ -0,0 +1,12 @@
+-- +migrate Up
+
+ALTER TABLE builds ADD COLUMN build_signed   BOOLEAN;
+ALTER TABLE builds ADD COLUMN build_verified BOOLEAN;
+
+UPDATE builds SET build_signed   = false;
+UPDATE builds SET build_verified = false;
+
+-- +migrate Down
+
+ALTER TABLE builds DROP COLUMN build_signed;
+ALTER TABLE builds DROP COLUMN build_verified;

store/datastore/ddl/postgres/5.sql

@@ -0,0 +1,12 @@
+-- +migrate Up
+
+ALTER TABLE builds ADD COLUMN build_signed   BOOLEAN;
+ALTER TABLE builds ADD COLUMN build_verified BOOLEAN;
+
+UPDATE builds SET build_signed   = false;
+UPDATE builds SET build_verified = false;
+
+-- +migrate Down
+
+ALTER TABLE builds DROP COLUMN build_signed;
+ALTER TABLE builds DROP COLUMN build_verified;

store/datastore/ddl/sqlite3/5.sql

@@ -0,0 +1,12 @@
+-- +migrate Up
+
+ALTER TABLE builds ADD COLUMN build_signed   BOOLEAN;
+ALTER TABLE builds ADD COLUMN build_verified BOOLEAN;
+
+UPDATE builds SET build_signed   = 0;
+UPDATE builds SET build_verified = 0;
+
+-- +migrate Down
+
+ALTER TABLE builds DROP COLUMN build_signed;
+ALTER TABLE builds DROP COLUMN build_verified;