Skip to content

Evaluate options to bundle cosign with GitLab Rails

The current proposal for SLSA attestation generation and signing is to import cosign into the glgo service and interact with it via an API. The purpose of this issue is to evaluate an alternative approach in the event the current proposal is determined to not be viable.

Some potential options to evaluate are:

  • Including cosign in the GitLab distribution
  • Creating a ruby gem that would build cosign for the target platform
  • Other potential options...

In any of these cases, it would be necessary to interact with cosign via a system exec, so the tradeoff of this approach should be evaluated as well.

The output of this issue should be an written summary of the options evaluated with pros/cons of each, as well as proposed direction considering the tradeoffs.