Use cosign to sign CNG images

Summary

We investigated the possibility of using Cosign for signing and verifying CNG images in gitlab-org/charts/gitlab#4528 (closed).

We concluded that:

1. We MUST use GitLab.com OIDC provider as the identity issuer.
2. We MUST use keyless

Once the GitLab.com OIDC provider is officially available we can use Cosign to sign and verify CNG images.

Here is an example (from gitlab-org/gitlab!122796 (merged)):

build_and_sign:
  stage: build
  image: docker:latest
  services:
    - docker:dind
  variables:
    COSIGN_YES: "true"
  id_tokens:
    SIGSTORE_ID_TOKEN:
      aud: sigstore
  before_script:
    - apk add --update cosign
    - docker login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" $CI_REGISTRY
  script:
    - docker build --pull -t "$CI_REGISTRY_IMAGE:$CI_COMMIT_SHORT_SHA" .
    - docker push "$CI_REGISTRY_IMAGE:$CI_COMMIT_SHORT_SHA"
    - IMAGE_DIGEST=$(docker inspect --format='{{index .RepoDigests 0}}' $CI_REGISTRY_IMAGE:$CI_COMMIT_SHORT_SHA)
    - cosign sign $IMAGE_DIGEST

verify:
  image: alpine:3.18
  stage: verify
  before_script:
    - apk add --update cosign docker
    - docker login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" $CI_REGISTRY
  script:
    - cosign verify "$CI_REGISTRY_IMAGE:$CI_COMMIT_SHORT_SHA" --certificate-identity "https://gitlab.com/my-group/my-project@refs/heads/main" --certificate-oidc-issuer "https://gitlab.com"

Acceptance criteria

• Add Cosign CLI to CNG build tools
• Alter the CNG build script and a step to to sign the image right after it is being built (it is recommended to build and sign the images within the same job).