### Release notes <!-- What is the problem and solution you're proposing? This content sets the overall vision for the feature and serves as the release notes that will populate in various places, including the [release post blog](https://about.gitlab.com/releases/categories/releases/) and [Gitlab project releases](https://gitlab.com/gitlab-org/gitlab/-/releases). " --> At GitLab, we value making our features secure and best-in-class, which is why have introduced a dedicated signing key for HashiCorp Vault JSON Web Token (JWT) authentication method. You can rest assured knowing that the JWT cannot be used to impersonate another user through OpenID Connect. ### Problem to solve We should use dedicated signing key to sign Ci_JOB_JWT tokens to avoid any possible risks as pointed in https://gitlab.com/gitlab-org/gitlab/-/issues/214607#note_325522240. ### Proposal - Add new encrypted attribute to `application_settings` to store the dedicated CI JWT signing key. - Implement the JWKS endpoint instead of delegating to `doorkeeper_openid_connect`. Make it return both keys. - Start using this new key to sign `CI_JOB_JWT` - In next release, remove OIDC signing key from the JWKS endpoint - https://gitlab.com/gitlab-org/gitlab/-/issues <!-- - [x] Omnibus - [x] Generate new RSA key (https://gitlab.com/gitlab-org/omnibus-gitlab/-/merge_requests/4158) - [x] Cloud Native GitLab Helm Chart - [x] Generate new RSA key https://gitlab.com/gitlab-org/charts/gitlab/-/merge_requests/1318) - [ ] GitLab - [ ] Implement the JWKS endpoint instead of delegating to `doorkeeper_openid_connect`. Make it return both keys. https://gitlab.com/gitlab-org/gitlab/-/merge_requests/34249 - [ ] Start using this new key to sign `CI_JOB_JWT` https://gitlab.com/gitlab-org/gitlab/-/merge_requests/34249 - [ ] Add a check verifying valid key is present https://gitlab.com/gitlab-org/gitlab/-/merge_requests/33920 - [ ] In next release, remove OIDC signing key from the JWKS endpoint https://gitlab.com/gitlab-org/gitlab/-/issues/221031 --> --- The following discussion from !28063 should be addressed: - [ ] @ayufan started a [discussion](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/28063#note_320994079): (+7 comments) > Is this OK to re-use `OpenID Signing Key`? Is that expected? If we ever gonna want to use `CI_JOB_JWT_TOKEN` for our own purpose will that cause an issues, for example we will want to rotate this secret for various unrelated reasons, what will happen then?