From ff0f3426117ad71b68759dd22d780c93c4e667bc Mon Sep 17 00:00:00 2001
From: Sam White <swhite@gitlab.com>
Date: Fri, 18 Aug 2023 14:01:38 -0600
Subject: [PATCH] Add support for GitLab to docs

Signed-off-by: Sam White <swhite@gitlab.com>
Resolves: #215
---
 .../certificate_authority/oidc-in-fulcio.md   | 23 +++++++++++++++++++
 content/en/security.md                        |  2 +-
 content/en/system_config/installation.md      |  9 ++++++++
 content/en/verifying/verify.md                |  2 +-
 4 files changed, 34 insertions(+), 2 deletions(-)

diff --git a/content/en/certificate_authority/oidc-in-fulcio.md b/content/en/certificate_authority/oidc-in-fulcio.md
index 6f5589b1..4866899c 100644
--- a/content/en/certificate_authority/oidc-in-fulcio.md
+++ b/content/en/certificate_authority/oidc-in-fulcio.md
@@ -19,6 +19,7 @@ Email-based OIDC providers use the user's email as the subject of the certificat
 
 * Dex (`oauth2.sigstore.dev/auth`)
     * GitHub (Note that this is the email of the user, not the GitHub username)
+    * GitLab
     * Google
     * Microsoft
 * Google (`accounts.google.com`)
@@ -29,6 +30,18 @@ GitHub supports OIDC tokens for its workflows initiated from GitHub Actions. Thi
 
 * GitHub Actions (`token.actions.githubusercontent.com`)
 
+GitLab supports OIDC tokens for its workflows initiated from GitLab CI/CD pipelines This removes the need for persisting authentication credentials. OIDC tokens include information about the workflow and source repository.
+
+In GitLab, you can generate the necessary tokens by simply adding the following to your CI/CD job:
+
+```yaml
+id_tokens:
+    SIGSTORE_ID_TOKEN:
+      aud: sigstore
+```
+
+See the [GitLab documentation](https://docs.gitlab.com/ee/ci/yaml/signing_examples.html) for full examples on signing through GitLab.
+
 ### SPIFFE
 
 SPIFFE-based OIDC providers use a SPIFFE ID as the URI subject alternative name of the certificate, scoped to a domain.
@@ -99,6 +112,16 @@ The token must include the following claims:
 
 All other required claims are extracted and included in custom OID fields, as documented in [OID Information](https://github.com/sigstore/fulcio/blob/main/docs/oid-info.md).
 
+### GitLab
+
+The token must include the following claims:
+
+```
+{
+// TODO: ADD LIST OF CLAIMS
+}
+```
+
 ### SPIFFE
 
 The token must include the following claims:
diff --git a/content/en/security.md b/content/en/security.md
index da630d39..6f420874 100644
--- a/content/en/security.md
+++ b/content/en/security.md
@@ -9,7 +9,7 @@ The Sigstore security model has a few key components, each aimed at establishing
 
 ## Proving Identity in Sigstore
 
-Sigstore relies on the widely used OpenID Connect (OIDC) protocol to prove identity. When running something like `cosign sign`, users will complete an OIDC flow and authenticate via an identity provider (GitHub, Google, etc.) to prove they are the owner of their account. Similarly, automated systems (like GitHub Actions) can use Workload Identity or [SPIFFE](https://spiffe.io/) Verifiable Identity Documents (SVIDs) to authenticate themselves via OIDC. The identity and issuer associated with the OIDC token is embedded in the short-lived certificate issued by Sigstore’s Certificate Authority, Fulcio. 
+Sigstore relies on the widely used OpenID Connect (OIDC) protocol to prove identity. When running something like `cosign sign`, users will complete an OIDC flow and authenticate via an identity provider (GitHub, GitLab, Google, etc.) to prove they are the owner of their account. Similarly, automated systems (like GitHub Actions) can use Workload Identity or [SPIFFE](https://spiffe.io/) Verifiable Identity Documents (SVIDs) to authenticate themselves via OIDC. The identity and issuer associated with the OIDC token is embedded in the short-lived certificate issued by Sigstore’s Certificate Authority, Fulcio. 
 
 ## Sigstore’s Trust Model
 
diff --git a/content/en/system_config/installation.md b/content/en/system_config/installation.md
index 8447ef0e..b33f3468 100644
--- a/content/en/system_config/installation.md
+++ b/content/en/system_config/installation.md
@@ -92,6 +92,15 @@ with:
   cosign-release: "v2.0.2" # optional
 ```
 
+## GitLab
+
+Cosign can be installed in your CI/CD pipeline by using a before script in your job:
+
+```yaml
+before_script:
+  - apk add --update cosign
+```
+
 ## Container Images
 
 Signed release images are available at [`gcr.io/projectsigstore/cosign`](http://gcr.io/projectsigstore/cosign).
diff --git a/content/en/verifying/verify.md b/content/en/verifying/verify.md
index e81889dd..e853305e 100644
--- a/content/en/verifying/verify.md
+++ b/content/en/verifying/verify.md
@@ -23,7 +23,7 @@ $ cosign verify <image URI> --certificate-identity=name@example.com
 
 ```
 
-The oidc-issuer for Google is https://accounts.google.com, Microsoft is https://login.microsoftonline.com, and GitHub is https://github.com/login/oauth.
+The oidc-issuer for Google is https://accounts.google.com, Microsoft is https://login.microsoftonline.com, GitHub is https://github.com/login/oauth, and GitLab is https://gitlab.com.
 
 The following example verifies the signature on file.txt from user name@example.com issued by accounts@example.com. It uses a provided bundle cosign.bundle that contains the certificate and signature.