Provide COSIGN key to sign our docker images (!2256) · Merge requests · Sylva-projects / sylva-core

Pierrick Seite requested to merge 1204-provide-cosign-key-to-sign-our-docker-images into main May 13, 2024

What does this MR do and why?

The artifacts produced by Sylva must be signed by cosign. The cosign signing material can be stored in the CI variables of the projects, however, a single cosign keypair should be used to more than one project for the sake of simplicity (managing a key per project would be a nightmare for the signature verification). So, the projects should inherit of the signing metrial stored in the variable of its group, e.g. all projects in group sylva-elements uses the key pair defined in the variable of the group.

However there is a problem: we use cosign generate-key-pair gitlab://foo/bar to generate cosign a keypair, but it works only with a project as destination (cf. https://github.com/sigstore/cosign/issues/2914)

So, to adress the issue, this MR proposes a script that generates the keypair in a target project and then promotes it at the group level. If a keypair already exists in a given project, the script only promote the key pair.

Important Note: this script must be executed by a group member with r/w on CI/CD group variables, typically the group owner.

Closes #1204

Edited May 14, 2024 by Pierrick Seite

Provide COSIGN key to sign our docker images

What does this MR do and why?

Merge request reports