Sign build artifacts in Runner with Cosign

Description

Proposal

1. For jobs where RUNNER_GENERATE_ARTIFACTS_METADATA = "true", all artifacts that are produced by the GitLab Runner will be signed automatically by default. A .sig file will be generated and stored as a build artifact containing the signature.
   1. The format of the .sig file should match https://github.com/sigstore/cosign/blob/main/specs/SIGNATURE_SPEC.md.
2. Additionally, we will begin adding the required envelope to the generated attestation per https://github.com/in-toto/attestation/tree/v0.1.0/spec#envelope
   1. The JSON that we currently generate as our attestation file will be base64 encoded and will become the value of the payload attribute.
   2. The payloadType attribute is static and should always be set to application/vnd.in-toto+json
   3. The signatures attribute will contain the signature of the payload

The resulting attestation file should match this format:

{
  "payloadType": "application/vnd.in-toto+json",
  "payload": "<Base64(SERIALIZED_BODY)>",
  "signatures": [{
    "keyid": "<KEYID>",
    "sig": "<Base64(SIGNATURE)>"
  }]
}

Currently the latest proposal to facilitate this is to use Fulcio to manage the key that is used for signing.

Note:

• The implementation plan is to limit the use of the OIDC token to only the artifact signing step (Runner/Cosign/Fulcio). This approach ensures that the inserted secret used to sign the artifact is used only once.

Disclaimer

This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.