TURBO_REMOTE_CACHE_SIGNATURE_KEY support #394
Description
🚀 Feature Proposal
TURBO_REMOTE_CACHE_SIGNATURE_KEY
Turborepo can sign artifacts with a secret key before uploading them to the Remote Cache
Motivation
Please outline the motivation for the proposal.
Turborepo uses HMAC-SHA256 signatures on artifacts using a secret key you provide. Turborepo will verify the Remote Cache artifacts' integrity and authenticity when they're downloaded. Any artifacts that fail to verify will be ignored and treated as a cache miss by Turborepo.
To enable this feature, set the remoteCache options on your turbo.json config to include signature: true. Then specify your secret key by declaring the TURBO_REMOTE_CACHE_SIGNATURE_KEY environment variable.
Example
To utilize the TURBO_REMOTE_CACHE_SIGNATURE_KEY which will increase the security of the remote cache, the project config will need to be updated to include the following:
{
"remoteCache": { "signature": true }
}