Resolve "Keyless signing with sigstore not working in child pipelines"
What does this MR do and why?
Users and colleagues are reporting failures in the integration with Sigstore for child pipelines. @fcatteau determined the root cause is a lack of attributes that are optional according to the standard but are required by Fulcio. Some analysis on whether it is appropriate to add the claims to child pipelines is available here.
References
- Fixes Keyless signing with sigstore not working in child pipelines
- Use Sigstore for keyless signing and verification
- Downstream pipelines
- OpenID Connect
How to set up and validate locally
Set-up
Create the following .gitlab-ci.yml file:
cat .gitlab-ci.yml
build-job:
stage: build
variables:
GENERATE_PROVENANCE: true
id_tokens:
SIGSTORE_ID_TOKEN:
aud: sigstore
script:
- apt update && apt-get install -y jq
- echo "I'm a parent pipeline:"
- echo "$SIGSTORE_ID_TOKEN" | jq -R 'split(".") | .[0:2] | map(@base64d) | map(fromjson)' | grep -E '(ci_config_ref_uri|ci_config_sha)'
trigger-job:
stage: build
trigger:
include:
- local: child-pipeline.ymlAlso create the child-pipeline.yml
cat child-pipeline.yml
ld-job:
stage: build
id_tokens:
SIGSTORE_ID_TOKEN:
aud: sigstore
script:
- apt update && apt-get install -y jq
- echo "I'm a child pipeline:"
- echo "$SIGSTORE_ID_TOKEN" | jq -R 'split(".") | .[0:2] | map(@base64d) | map(fromjson)' | grep -E '(ci_config_ref_uri|ci_config_sha)'You will also need to follow the instructions in doc/howto/runner.md · main · GitLab.org / GitLab Development Kit · GitLab.
Test
Current behaviour
[... in parent ...]
$ echo "I'm a parent pipeline:"
I'm a parent pipeline:
$ echo "$SIGSTORE_ID_TOKEN" | jq -R 'split(".") | .[0:2] | map(@base64d) | map(fromjson)' | grep -E '(ci_config_ref_uri|ci_config_sha)'
"ci_config_ref_uri": "gdk.test:3000/root/test-child-pipeline//.gitlab-ci.yml@refs/heads/main",
"ci_config_sha": "858fd5e94ca4e0ffd8777ad49f48a497dd1eda34",
[... in child ...]
I'm a child pipeline:
$ echo "$SIGSTORE_ID_TOKEN" | jq -R 'split(".") | .[0:2] | map(@base64d) | map(fromjson)' | grep -E '(ci_config_ref_uri|ci_config_sha)'
*nothing*After fix.
[... in child ...]
I'm a child pipeline:
$ echo "$SIGSTORE_ID_TOKEN" | jq -R 'split(".") | .[0:2] | map(@base64d) | map(fromjson)' | grep -E '(ci_config_ref_uri|ci_config_sha)'
"ci_config_ref_uri": "gdk.test:3000/root/test-child-pipeline//.gitlab-ci.yml@refs/heads/main",
"ci_config_sha": "55eb436fbae703f8fb5ff19ca0f9326b4418e57f",MR acceptance checklist
Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
Related to #422146
Edited by Sam Roque-Worcel