Skip to content

Commit

Permalink
Add support for GitLab to docs
Browse files Browse the repository at this point in the history
Signed-off-by: Sam White <[email protected]>
Co-authored-by: Alishan Ladhani <[email protected]>
Resolves: #215
  • Loading branch information
samwhite-gl and aladh committed Aug 28, 2023
1 parent 9396c99 commit 1c23f42
Show file tree
Hide file tree
Showing 4 changed files with 50 additions and 2 deletions.
2 changes: 1 addition & 1 deletion content/en/about/security.md
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ The Sigstore security model has a few key components, each aimed at establishing

## Proving Identity in Sigstore

Sigstore relies on the widely used OpenID Connect (OIDC) protocol to prove identity. When running something like `cosign sign`, users will complete an OIDC flow and authenticate via an identity provider (GitHub, Google, etc.) to prove they are the owner of their account. Similarly, automated systems (like GitHub Actions) can use Workload Identity or [SPIFFE](https://spiffe.io/) Verifiable Identity Documents (SVIDs) to authenticate themselves via OIDC. The identity and issuer associated with the OIDC token is embedded in the short-lived certificate issued by Sigstore’s Certificate Authority, Fulcio.
Sigstore relies on the widely used OpenID Connect (OIDC) protocol to prove identity. When running something like `cosign sign`, users will complete an OIDC flow and authenticate via an identity provider (GitHub, GitLab, Google, etc.) to prove they are the owner of their account. Similarly, automated systems (like GitHub Actions) can use Workload Identity or [SPIFFE](https://spiffe.io/) Verifiable Identity Documents (SVIDs) to authenticate themselves via OIDC. The identity and issuer associated with the OIDC token is embedded in the short-lived certificate issued by Sigstore’s Certificate Authority, Fulcio.

Check failure on line 13 in content/en/about/security.md

View workflow job for this annotation

GitHub Actions / markdownlint

Trailing spaces

content/en/about/security.md:13:614 MD009/no-trailing-spaces Trailing spaces [Expected: 0 or 2; Actual: 1] https://github.com/DavidAnson/markdownlint/blob/v0.29.0/doc/md009.md

## Sigstore’s Trust Model

Expand Down
39 changes: 39 additions & 0 deletions content/en/certificate_authority/oidc-in-fulcio.md
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,18 @@ GitHub supports OIDC tokens for its workflows initiated from GitHub Actions. Thi

* GitHub Actions (`token.actions.githubusercontent.com`)

GitLab supports OIDC tokens for its workflows initiated from GitLab CI/CD pipelines. This removes the need for persisting authentication credentials. OIDC tokens include information about the workflow and source repository.

In GitLab, you can generate the necessary tokens by simply adding the following to your CI/CD job:

```yaml
id_tokens:
SIGSTORE_ID_TOKEN:
aud: sigstore
```
See the [GitLab documentation](https://docs.gitlab.com/ee/ci/yaml/signing_examples.html) for full examples on signing through GitLab.
### SPIFFE
SPIFFE-based OIDC providers use a SPIFFE ID as the URI subject alternative name of the certificate, scoped to a domain.
Expand Down Expand Up @@ -100,6 +112,33 @@ The token must include the following claims:
All other required claims are extracted and included in custom OID fields, as documented in [OID Information](https://github.com/sigstore/fulcio/blob/main/docs/oid-info.md).
### GitLab
The token must include the following claims:
```json
{
"namespace_id": "72",
"namespace_path": "my-group",
"project_id": "20",
"project_path": "my-group/my-project",
"pipeline_id": "574",
"pipeline_source": "push",
"job_id": "302",
"ref": "main",
"ref_type": "branch",
"runner_id": 1,
"runner_environment": "gitlab-hosted",
"sha": "714a629c0b401fdce83e847fc9589983fc6f46bc",
"project_visibility": "public",
"ci_config_ref_uri": "gitlab.com/my-group/my-project//.gitlab-ci.yml@refs/heads/main"
}
```

`ci_config_ref_uri` is included as a SAN URI: `https://{ci_config_ref_uri}`

All other required claims are extracted and included in custom OID fields, as documented in [OID Information](https://github.com/sigstore/fulcio/blob/main/docs/oid-info.md#mapping-oidc-token-claims-to-fulcio-oids).

### SPIFFE

The token must include the following claims:
Expand Down
9 changes: 9 additions & 0 deletions content/en/system_config/installation.md
Original file line number Diff line number Diff line change
Expand Up @@ -93,6 +93,15 @@ with:
cosign-release: "v2.0.2" # optional
```
## GitLab
Cosign can be installed in your CI/CD pipeline by using a before script in your job:
```yaml
before_script:
- apk add --update cosign
```
## Container Images
Signed release images are available at [`gcr.io/projectsigstore/cosign`](http://gcr.io/projectsigstore/cosign).
Expand Down
2 changes: 1 addition & 1 deletion content/en/verifying/verify.md
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,7 @@ $ cosign verify <image URI> [email protected]
```

The oidc-issuer for Google is https://accounts.google.com, Microsoft is https://login.microsoftonline.com, and GitHub is https://github.com/login/oauth.
The oidc-issuer for Google is https://accounts.google.com, Microsoft is https://login.microsoftonline.com, GitHub is https://github.com/login/oauth, and GitLab is https://gitlab.com.

The following example verifies the signature on file.txt from user [email protected] issued by [email protected]. It uses a provided bundle cosign.bundle that contains the certificate and signature.

Expand Down

0 comments on commit 1c23f42

Please sign in to comment.