Use cosign to sign CNG images
Summary
We investigated the possibility of using Cosign for signing and verifying CNG images in gitlab-org/charts/gitlab#4528 (closed).
We concluded that:
- We MUST use GitLab.com OIDC provider as the identity issuer.
- We MUST use keyless
Once the GitLab.com OIDC provider is officially available we can use Cosign to sign and verify CNG images.
Here is an example (from gitlab-org/gitlab!122796 (merged)):
build_and_sign:
stage: build
image: docker:latest
services:
- docker:dind
variables:
COSIGN_YES: "true"
id_tokens:
SIGSTORE_ID_TOKEN:
aud: sigstore
before_script:
- apk add --update cosign
- docker login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" $CI_REGISTRY
script:
- docker build --pull -t "$CI_REGISTRY_IMAGE:$CI_COMMIT_SHORT_SHA" .
- docker push "$CI_REGISTRY_IMAGE:$CI_COMMIT_SHORT_SHA"
- IMAGE_DIGEST=$(docker inspect --format='{{index .RepoDigests 0}}' $CI_REGISTRY_IMAGE:$CI_COMMIT_SHORT_SHA)
- cosign sign $IMAGE_DIGEST
verify:
image: alpine:3.18
stage: verify
before_script:
- apk add --update cosign docker
- docker login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" $CI_REGISTRY
script:
- cosign verify "$CI_REGISTRY_IMAGE:$CI_COMMIT_SHORT_SHA" --certificate-identity "https://gitlab.com/my-group/my-project@refs/heads/main" --certificate-oidc-issuer "https://gitlab.com"
Acceptance criteria
-
Add Cosign CLI to CNG build tools -
Alter the CNG build script and a step to to sign the image right after it is being built (it is recommended to build and sign the images within the same job).