Presigned Access Configuration

Develocity Provenance Governor supports HMAC-SHA256 presigned URL authentication for /packages/\** endpoints. Presigned URLs provide time-limited, credential-free access to package attestation data — ideal for CI/CD pipelines, artifact proxies, and read-only integrations where embedding authorization headers is impractical.

When presigned access is not configured, the feature is completely inert and has no effect on other authentication mechanisms.

Configuration Properties

Property Type Default Description

presigned-access.keys

map

empty

Map of key ID to base64-encoded HMAC secret. Each key must be at least 32 bytes (256 bits) of cryptographically secure random data.

presigned-access.active-key-id

string

none

The key ID used when generating new presigned URLs. Must reference a key in the keys map.

presigned-access.ttl

duration

PT15M

Time-to-live for generated URLs (ISO 8601 duration format).

Generating Keys

Each key must be raw random bytes from a cryptographically secure random number generator (CSPRNG), base64-encoded. Do not use human-readable passwords or passphrases.

openssl rand -base64 32

Store keys in a secrets manager (e.g., HashiCorp Vault, AWS Secrets Manager) or a Kubernetes Secret. Never commit keys to source control.

Single-Key Configuration

The simplest configuration uses one key:

presigned-access:
  active-key-id: key-1
  keys:
    key-1: 5fG3pLq9zX+kR2mN8wTjYhVbCdEfAiOuSxWnHlMpJQ0=

Key Rotation

To rotate keys with zero downtime:

  1. Add the new key to the keys map alongside the existing key.

  2. Promote the new key by updating active-key-id.

  3. Remove the old key after its TTL has elapsed, ensuring no in-flight signed URLs still reference it.

presigned-access:
  active-key-id: key-2
  ttl: PT15M
  keys:
    key-1: 5fG3pLq9zX+kR2mN8wTjYhVbCdEfAiOuSxWnHlMpJQ0=
    key-2: aB7cD9eF1gH3iJ5kL7mN9oP1qR3sT5uV7wX9yZ1aB3c=

In this example, key-2 is used for generating new URLs, while key-1 remains valid for verifying previously issued URLs until it is removed.

Query Parameter Convention

A presigned URL includes four query parameters that are validated by Develocity Provenance Governor:

Parameter Description

X-Dpg-Expires

Expiration time as Unix epoch seconds.

X-Dpg-KeyId

Identifier of the HMAC key used to sign the URL.

X-Dpg-Principal

URN of the identity that authorized access (e.g., urn:basic-identity:ci-bot).

X-Dpg-Signature

Base64url-encoded HMAC-SHA256 signature.

The signature covers the HTTP method, path, expiry, and principal. Additional query parameters (e.g., pagination) may be appended without invalidating the signature.

Example presigned URL
GET https://provenance-governor.example.com/packages/maven/com.example/lib/1.0.0
  ?X-Dpg-Expires=1700000900
  &X-Dpg-KeyId=key-1
  &X-Dpg-Principal=urn%3Abasic-identity%3Aci-bot
  &X-Dpg-Signature=<base64url-hmac>

Security Considerations

  • Keys shorter than 32 bytes are rejected at startup.

  • Signature comparison uses constant-time comparison to prevent timing attacks.

  • The generating principal’s URN appears in query strings and server logs. Avoid using identities that contain PII (e.g., email addresses). Prefer dedicated service accounts such as ci-bot or artifact-proxy.

  • The default 15-minute TTL limits the window of exposure for a leaked URL. Increasing the TTL via presigned-access.ttl trades convenience for a larger exposure window.

  • Presigned URLs grant read-attestations authority only.