Gitlab.com CI Sigstore Keyless Integration for npm package provenance generation

GitLab and Chainguard are working together to implement and support gitlab.com CI Sigstore Keyless Integration for npm package provenance generation.

This issue tracks work and invites the community for comment; that work is separated in two respects: Sigstore Integration and Build provenance generation.

Sigstore <> GitLab Keyless Signing Integration

• Contributions to Sigstore projects (fulcio, cosign, etc.)
• Add OIDC token claim mapping to Fulcio X.509 certificate extensions for gitlab.com
• Ambient Credential detection for GitLab CI in sigstore-js

Build Provenance Generation (for NPM packages)

• Contributions to GitLab CI templates and supporting scripts, images, and tooling)++
• Contributions to NPM cli via Sigstore-js
• NPM provenance attestation support in GitLab CI templates
• Signature Verification (npm audit signatures)

Related work:

• https://blog.sigstore.dev/sigstore-update-august-2022-813ac2c7c9ef/
• https://github.blog/2022-08-08-new-request-for-comments-on-improving-npm-security-with-sigstore-is-now-open/
• https://github.com/npm/rfcs/pull/626