Add support for GitLab to docs

Signed-off-by: Sam White <[email protected]>
Resolves: #215

content/en/certificate_authority/oidc-in-fulcio.md

@@ -19,6 +19,7 @@ Email-based OIDC providers use the user's email as the subject of the certificat
 
 * Dex (`oauth2.sigstore.dev/auth`)
     * GitHub (Note that this is the email of the user, not the GitHub username)
+    * GitLab
     * Google
     * Microsoft
 * Google (`accounts.google.com`)
@@ -29,6 +30,18 @@ GitHub supports OIDC tokens for its workflows initiated from GitHub Actions. Thi
 
 * GitHub Actions (`token.actions.githubusercontent.com`)
 
+GitLab supports OIDC tokens for its workflows initiated from GitLab CI/CD pipelines This removes the need for persisting authentication credentials. OIDC tokens include information about the workflow and source repository.
+
+In GitLab, you can generate the necessary tokens by simply adding the following to your CI/CD job:
+
+```yaml
+id_tokens:
+    SIGSTORE_ID_TOKEN:
+      aud: sigstore
+```
+
+See the [GitLab documentation](https://docs.gitlab.com/ee/ci/yaml/signing_examples.html) for full examples on signing through GitLab.
+
 ### SPIFFE
 
 SPIFFE-based OIDC providers use a SPIFFE ID as the URI subject alternative name of the certificate, scoped to a domain.
@@ -99,6 +112,16 @@ The token must include the following claims:
 
 All other required claims are extracted and included in custom OID fields, as documented in [OID Information](https://github.com/sigstore/fulcio/blob/main/docs/oid-info.md).
 
+### GitLab
+
+The token must include the following claims:
+
+```
+{
+// TODO: ADD LIST OF CLAIMS
+}
+```
+
 ### SPIFFE
 
 The token must include the following claims:

content/en/security.md

@@ -9,7 +9,7 @@ The Sigstore security model has a few key components, each aimed at establishing
 
 ## Proving Identity in Sigstore
 
-Sigstore relies on the widely used OpenID Connect (OIDC) protocol to prove identity. When running something like `cosign sign`, users will complete an OIDC flow and authenticate via an identity provider (GitHub, Google, etc.) to prove they are the owner of their account. Similarly, automated systems (like GitHub Actions) can use Workload Identity or [SPIFFE](https://spiffe.io/) Verifiable Identity Documents (SVIDs) to authenticate themselves via OIDC. The identity and issuer associated with the OIDC token is embedded in the short-lived certificate issued by Sigstore’s Certificate Authority, Fulcio. 
+Sigstore relies on the widely used OpenID Connect (OIDC) protocol to prove identity. When running something like `cosign sign`, users will complete an OIDC flow and authenticate via an identity provider (GitHub, GitLab, Google, etc.) to prove they are the owner of their account. Similarly, automated systems (like GitHub Actions) can use Workload Identity or [SPIFFE](https://spiffe.io/) Verifiable Identity Documents (SVIDs) to authenticate themselves via OIDC. The identity and issuer associated with the OIDC token is embedded in the short-lived certificate issued by Sigstore’s Certificate Authority, Fulcio. 
 
 ## Sigstore’s Trust Model
 

content/en/system_config/installation.md

@@ -92,6 +92,15 @@ with:
   cosign-release: "v2.0.2" # optional
 ```
 
+## GitLab
+
+Cosign can be installed in your CI/CD pipeline by using a before script in your job:
+
+```yaml
+before_script:
+  - apk add --update cosign
+```
+
 ## Container Images
 
 Signed release images are available at [`gcr.io/projectsigstore/cosign`](http://gcr.io/projectsigstore/cosign).

content/en/verifying/verify.md

@@ -23,7 +23,7 @@ $ cosign verify <image URI> [email protected]
 
 ```
 
-The oidc-issuer for Google is https://accounts.google.com, Microsoft is https://login.microsoftonline.com, and GitHub is https://github.com/login/oauth.
+The oidc-issuer for Google is https://accounts.google.com, Microsoft is https://login.microsoftonline.com, GitHub is https://github.com/login/oauth, and GitLab is https://gitlab.com.
 
 The following example verifies the signature on file.txt from user [email protected] issued by [email protected]. It uses a provided bundle cosign.bundle that contains the certificate and signature.