Sign build artifacts in Runner with Cosign
Description
Proposal
- For jobs where
RUNNER_GENERATE_ARTIFACTS_METADATA = "true"
, all artifacts that are produced by the GitLab Runner will be signed automatically by default. A.sig
file will be generated and stored as a build artifact containing the signature.- The format of the
.sig
file should match https://github.com/sigstore/cosign/blob/main/specs/SIGNATURE_SPEC.md.
- The format of the
- Additionally, we will begin adding the required envelope to the generated attestation per https://github.com/in-toto/attestation/tree/v0.1.0/spec#envelope
- The JSON that we currently generate as our attestation file will be base64 encoded and will become the value of the
payload
attribute. - The
payloadType
attribute is static and should always be set toapplication/vnd.in-toto+json
- The
signatures
attribute will contain the signature of thepayload
- The JSON that we currently generate as our attestation file will be base64 encoded and will become the value of the
The resulting attestation file should match this format:
{
"payloadType": "application/vnd.in-toto+json",
"payload": "<Base64(SERIALIZED_BODY)>",
"signatures": [{
"keyid": "<KEYID>",
"sig": "<Base64(SIGNATURE)>"
}]
}
Currently the latest proposal to facilitate this is to use Fulcio to manage the key that is used for signing.
Note:
- The implementation plan is to limit the use of the OIDC token to only the artifact signing step (Runner/Cosign/Fulcio). This approach ensures that the inserted secret used to sign the artifact is used only once.
Disclaimer
This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.
Edited by Darren Eastman