Docker Executor: Cosign support

Description

Cosign https://github.com/sigstore/cosign is a mechanism to support container image signing.

It's part of https://sigstore.dev/ which is member of Linux Foundation.

https://linuxfoundation.org/press-release/linux-foundation-announces-free-sigstore-signing-service-to-confirm-origin-and-authenticity-of-software/

Cosign support Gitlab Container Registry as well.

It will be usefull to support cosign (golang) verify directly within gitlab runner if enabled via runner config.

For example:

[runners.docker]
  ...
  [[runners.docker.signatures]]
    match = "^myregistry.com/mynamespace/.*$"  # re2 regex, match any image in mynamespace will be verified
    public_key = "/etc/pki/cosign/mynamespace.pem"
    signature_repository = "myregistry.com/mysigstore"
  [[runners.docker.signatures]]
    match = "^myregistry.com/myothernamespace/.*$"  # re2 regex, match any image in myothernamespace will be verified
    public_key = "/etc/pki/cosign/myothernamespace.pem"
    signature_repository = "myregistry.com/mysigstore"

When Gitlab will pull the container it will verify signature before pulling.

Equivalent from command line

COSIGN_REPOSITORY=myregistry.com/mysigstore cosign verify -key /etc/pki/cosign/mynamespace.pem myregistry.com/mynamespace/myimage:latest

Cosign is also recommended by Kaniko https://github.com/GoogleContainerTools/kaniko/tree/v1.6.0#verifying-signed-kaniko-images Which is a tool documented by Gitlab https://docs.gitlab.com/ee/ci/docker/using_kaniko.html

Edited Jul 15, 2021 by Ahmet Demir