SYSTEM Cited by 1 source

Figma Commit Signature Verification (GitHub App + Lambda)

Commit Signature Verification is Figma's internal security system that verifies every Git commit pushed to the Figma monorepo was S/MIME-signed with a current device-trust X.509 certificate issued by Figma's internal CA — and gates release-branch merges on the verification status. Built as a GitHub App + an AWS Lambda backed by systems/aws-secrets-manager for credentials. Canonical instance of patterns/webhook-triggered-verifier-lambda.

Components

Component	Role
Commit Signature Verification GitHub App	scoped with read code + write commit status checks permissions; installed on the Figma monorepo
Webhook on the monorepo	fires on push events
Lambda Function URL	public HTTPS endpoint receiving the webhook
AWS Lambda function	verification compute; uses smimesign/ietf-cms
Webhook secret	shared with GitHub, used to verify request origin
AWS Secrets Manager	stores GitHub App private key + webhook secret
Figma internal CA	issues the device-trust certs being verified
commit-integrity-verification status check	the merge-gating signal

Push → verify → gate flow

1. Engineer on a trusted Figma MacBook runs git push of a signed commit to a feature branch.
2. GitHub sees the push, fires a webhook payload at the Lambda Function URL.
3. Lambda starts up:
4. authenticates as the GitHub App (private key + app id from Secrets Manager),
5. verifies the webhook secret on the payload so forged POSTs are rejected,
6. fetches the HEAD commit's signature + diff via GitHub's API.
7. Lambda runs cryptographic verification using smimesign/ietf-cms against Figma's internal device-trust CA.
8. Lambda posts a commit status commit-integrity-verification = pass or fail.
9. Branch-protection rules on release branches require this status = pass for the PR to merge.

Bot handling

Bots (Dependabot, other externally-developed GitHub Apps) commit via the GitHub API and are not signed with any Figma device-trust cert — they're signed with GitHub's web-flow GPG key. The verifier:

• Passes commits whose author is on an allowlist of trusted bots.
• Optionally inspects the diff for policy violations — e.g. Dependabot touching paths unrelated to dependency manifests → fail the status.

This layers over Figma's existing external-bot approval flow and reduces the risk of a compromised external App slipping a supply-chain change.

Why Lambda + GitHub App

Matches the patterns/webhook-triggered-verifier-lambda shape: stateless verification compute, scales with push rate not with repo count, pay-per-invocation, keeps the verifier out of any user's laptop or CI runner. GitHub App scoping is the permissions minimum (concepts/least-privileged-access) — the verifier literally cannot do anything to the repo beyond read code + write commit statuses.

Relationship to the signing side

• Signing: Figma MacBook → systems/smimesign-figma + a wrapper bash script → S/MIME signature on the commit, using the 15-day-rotated device-trust cert from the macOS Keychain.
• Verification: this system.
• Both sides share the smimesign/ietf-cms library from the upstream systems/smimesign repo.

Caveats

• No disclosed numbers: Lambda cold-start latency, daily commit volume, cost.
• No disclosed detail on how the verifier handles squashed / rebased commits on merge — the status attaches to HEAD.
• Allowlist + heuristic-gate specifics for bots are described at a principle level, not policy-by-policy.

Seen in

• sources/2026-04-21-figma-enforcing-device-trust-on-code-changes — primary description.

Related

• patterns/webhook-triggered-verifier-lambda
• patterns/signed-commit-as-device-attestation
• systems/github-apps, systems/aws-lambda, systems/aws-secrets-manager
• systems/smimesign, systems/smimesign-figma
• concepts/device-trust, concepts/commit-signing, concepts/least-privileged-access