Distribute cosign binary in Omnibus

As part of the SLSA L3 epic, the Pipeline Security team has discussed several options to perform signatures of SLSA Provenance statements in the control plane. In the course of these discussions, we determined that the best course of action was to ship the cosign binary in our distributions.

This issue in particular discusses shipping the binary in Onmibus. Rationale for not delaying the distribution via Omnibus can be found in the following comment by @WarheadsSE .

References

Non-functional requirements

  • Documentation: N/A
  • Feature flag: N/A
  • Performance: N/A
  • Testing: See verification steps below.

Implementation details

This issue assumes the related issue that creates the CNG distribution has been resolved. This is because certain steps, specifically the creation of a mirrored repository are necessary for both.

At a high-level, the creation of a cosign binary within Omnibus is documented in the "Adding a new software definition" page. An example can be found in the bzip package.

Additional docs:

Required changes:

  • Ensure the related issue has been resolved prior to starting this one.
  • New source in .custom_sources.yml
  • Add dependency in config/software/gitlab-rails.rb
  • New software definition in config/software/cosign.rb (Should be similar to another go definition, e.g. config/software/prometheus.rb)
  • Maybe add license in lib/gitlab/license/analyzer.rb
  • Maybe patches in config/patches/cosign/
  • Maybe test plan in doc/development/test-plans/upgrade-exiftool-testplan.md

Verification steps

Follow the steps here to ensure the new software definition builds correctly.

Edited by 🤖 GitLab Bot 🤖