docs: add self-hosted Sigstore keyless signing guide

Andrew Dunnrequested to merge
andunn-419942-self-hosted-sigstore-docs into master

Summary

Add documentation for keyless signing with self-hosted Sigstore infrastructure on GitLab Self-Managed.

Closes #419942.

What does this MR do?

Adds doc/ci/yaml/signing_self_hosted.md covering:

  • Fulcio OIDC configuration for self-managed GitLab (the critical undocumented step -- Fulcio requires both oidc-issuers and ci-issuer-metadata sections, and the error message gives no hint of what is missing)
  • CI/CD pipeline configuration using cosign v3 signing-config and trusted-root files
  • cosign v2 fallback configuration
  • Verification examples
  • GitLab-specific troubleshooting

Also adds a cross-reference from signing_examples.md pointing self-managed users to the new page.

What was validated

This documentation was validated end-to-end on a fresh GCE instance running GitLab Omnibus EE 18.10.3 with a self-hosted Sigstore stack (Fulcio v1.6.6, Rekor v1.3.8) deployed via Docker Compose. Both cosign v2.4.1 and v3.0.6 signing paths were tested with real GitLab CI/CD OIDC tokens.

The Sigstore deployment steps (Docker Compose, key generation, CT log) are not included in this page. Those belong in the Sigstore project documentation. This page documents only the GitLab-specific configuration: the Fulcio OIDC trust, the CI pipeline YAML, and verification.

Where we could use help

  • HTTPS validation: We validated on an HTTP GitLab instance. The page includes a prerequisite note about mounting the CA certificate for HTTPS deployments, but the HTTPS OIDC flow was not tested end-to-end. We believe the pattern is correct (standard container TLS trust configuration) but would appreciate review from someone with an HTTPS self-managed instance and a self-hosted Fulcio.

  • Container image signing: We validated blob signing (cosign sign-blob). The page notes that container image signing uses the same configuration with cosign sign. This matches the cosign documentation, but we did not test it on this instance.

  • Technical Writer review: This is our first contribution to GitLab documentation. We followed the style guide but may have missed conventions. Happy to iterate on structure and formatting.

Merge request reports