Phase 1: CI/CD components to generate and verify provenance attestation
### Problem to solve In complex CI/CD workflows, developers and security teams need a reliable way to generate [provenance attestations](https://slsa.dev/spec/v1.0/provenance#model) to ensure the security and integrity of their software artifacts. Many teams lack the time and expertise to integrate tools like Sigstore's Cosign for provenance generation and verification. Without an easy-to-use solution, generating and verifying provenance attestations becomes difficult, leading to potential gaps in software supply chain security. To solve this, we propose building reusable [CI/CD components](https://docs.gitlab.com/ee/ci/components/) that provide a simple way to integrate provenance generation and verification into any GitLab project. ### Proposal The solution involves creating [CI/CD components](https://docs.gitlab.com/ee/ci/components/) that wrap [Sigstore's Cosign functionality](https://docs.gitlab.com/ee/ci/yaml/signing_examples.html) into reusable modules. The provenance generation component covers the following: - Generate a provenance statement for a given build, sign it, and upload the resulting provenance attestation for downstream consumption and verification. - Leverage GitLab’s OpenID Connect (OIDC) tokens for keyless signing with Sigstore, avoiding the need for managing long-term signing keys. Provenance generation and verification components are: - flexible enough to integrate into various GitLab CI workflows, regardless of project specifics - published in a shared GitLab repository as a reusable component - configurable, allowing developers to pass in build details such as artifact location, environment data, and commit hash ### Development stage This is an [experiment](https://docs.gitlab.com/policy/development_stages_support/#experiment) for two reasons: - This solution doesn't meet SLSA 1 L3 requirements because provenance generation and signing are handled by the build environment, and not by the control plane. See https://slsa.dev/spec/v1.0/requirements - The next phases of https://gitlab.com/groups/gitlab-org/-/epics/15858+ move provenance generation and signing to the control plane, but as a result the UX will change, and we can't provide a seamless transition. ### Implementation plan - Research and Define the Structure of the CI/CD Components. - Add components specification to the [SLSA L3 design doc](https://handbook.gitlab.com/handbook/engineering/architecture/design-documents/slsa_level_3): structure, configuration, input and output, etc. - Build CI/CD Components for Sigstore Integration. - Provenance Generation component - Provenance Verification component - Document the usage of the components. <!-- triage-serverless v3 PLEASE DO NOT REMOVE THIS SECTION --> > [!important] > This page may contain information related to upcoming products, features and functionality. > It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. > Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc. <!-- triage-serverless v3 PLEASE DO NOT REMOVE THIS SECTION -->
epic