2023-07

2023-07-22 Gitlab 16.2 Support for Keyless Signing with Cosign

• https://about.gitlab.com/releases/2023/07/22/gitlab-16-2-released/#support-for-keyless-signing-with-cosign

• https://www.sigstore.dev/

Properly storing, rotating, and managing signing keys can be difficult and typically requires the overhead of managing a separate Key Management System (KMS).

GitLab now supports keyless signing through a native integration with the Sigstore Cosign tool which allows for easy, convenient, and secure signing within the GitLab CI/CD pipeline.

Signing is done using a very short-lived signing key .

The key is generated through a token obtained from the GitLab server using the OIDC identity of the user who ran the pipeline. This token includes unique claims that certify the token was generated by a CI/CD pipeline.

To begin using keyless signing for your build artifacts, container images, and packages, users only need to add a few lines to their CI/CD file as shown in our documentation.

build_and_sign_image:
  stage: build
  image: docker:latest
  services:
    - docker:dind
  variables:
    COSIGN_YES: "true"
  id_tokens:
    SIGSTORE_ID_TOKEN:
      aud: sigstore
  before_script:
    - apk add --update cosign
    - docker login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" $CI_REGISTRY
  script:
    - docker build --pull -t "$CI_REGISTRY_IMAGE:$CI_COMMIT_SHORT_SHA" .
    - docker push "$CI_REGISTRY_IMAGE:$CI_COMMIT_SHORT_SHA"
    - IMAGE_DIGEST=$(docker inspect --format='{{index .RepoDigests 0}}' $CI_REGISTRY_IMAGE:$CI_COMMIT_SHORT_SHA)
    - cosign sign $IMAGE_DIGEST