diff --git a/README.md b/README.md index 2a2078e2c2f9d81935c9cab8a485355e656d091e..e6ee78127918e1c9e4607bfe8a48e89795a3c929 100644 --- a/README.md +++ b/README.md @@ -246,6 +246,7 @@ The signing process can be configured with the following variables: | `cosign-opts` / `DOCKER_COSIGN_OPTS` | Options for [`cosign sign`](https://docs.sigstore.dev/cosign/signing/signing_with_containers/) command | `--tlog-upload=false --recursive` | | `cosign-attest-opts` / `DOCKER_COSIGN_ATTEST_OPTS` | Options for [`cosign attest`](https://docs.sigstore.dev/cosign/verifying/attestation/) command | `--tlog-upload=false` | +| `cosign-annotations` / `DOCKER_COSIGN_ANNOTATIONS` | Additional annotations to add to the signature | GitLab build provenance data | | `cosign-dist-url` / `DOCKER_COSIGN_DIST_URL` | Url to the `linux-amd64` binary of Cosign to use (ex: `https://github.com/sigstore/cosign/releases/download/v2.5.0/cosign-linux-amd64`)
_When unset, the latest version will be used_ | _none_ | | :lock: `cosign-private-key` / `DOCKER_COSIGN_PRIVATE_KEY` | Private key used for signing the Docker image and the attestation | _none_ | | :lock: `cosign-password` / `COSIGN_PASSWORD` | Password of the private key | _none_ | diff --git a/kicker.json b/kicker.json index b8071b4d765394feba9462aaff9f2d83d39bff4d..3d443d83df0b66bbb119b6de68bfbd7eeb3cc97c 100644 --- a/kicker.json +++ b/kicker.json @@ -241,6 +241,12 @@ "default": "--tlog-upload=false", "advanced": true }, + { + "name": "DOCKER_COSIGN_ANNOTATIONS", + "description": "Additional annotations to add to the signature", + "default": "--annotations \"com.gitlab.ci.project.path=$CI_PROJECT_URL\" --annotations \"com.gitlab.ci.user.name=$GITLAB_USER_NAME\" --annotations \"com.gitlab.ci.pipeline.id=$CI_PIPELINE_ID\" --annotations \"com.gitlab.ci.pipeline.url=$CI_PIPELINE_URL\" --annotations \"com.gitlab.ci.job.id=$CI_JOB_ID\" --annotations \"com.gitlab.ci.job.url=$CI_JOB_URL\" --annotations \"com.gitlab.ci.commit.sha=$CI_COMMIT_SHA\" --annotations \"com.gitlab.ci.commit.ref.name=$CI_COMMIT_REF_NAME\" --annotations \"com.gitlab.ci.runner.id=$CI_RUNNER_ID\" --annotations \"com.gitlab.ci.runner.version=$CI_RUNNER_VERSION\" --annotations \"com.gitlab.ci.job.started-at=$CI_JOB_STARTED_AT\" --annotations \"com.gitlab.ci.registry.image=$docker_image\" --annotations \"org.opencontainers.image.source=$CI_PROJECT_URL\" --annotations \"org.opencontainers.image.revision=$CI_COMMIT_SHA\" --annotations \"tag=$docker_tag\"", + "advanced": true + }, { "name": "DOCKER_COSIGN_DIST_URL", "description": "Url to the `linux-amd64` binary of Cosign to use\n\n_When unset, the latest version will be used_", diff --git a/templates/gitlab-ci-docker.yml b/templates/gitlab-ci-docker.yml index 919ab239b2195560d9433a13da0f0125f8f79aea..3c9ab03938e465d212f14552cfbd919031b709bd 100644 --- a/templates/gitlab-ci-docker.yml +++ b/templates/gitlab-ci-docker.yml @@ -185,6 +185,24 @@ spec: cosign-attest-opts: description: Options for [`cosign attest`](https://docs.sigstore.dev/cosign/verifying/attestation/) command default: --tlog-upload=false + cosign-annotations: + description: Additional annotations to add to the signature + default: >- + --annotations "com.gitlab.ci.project.path=$CI_PROJECT_URL" + --annotations "com.gitlab.ci.user.name=$GITLAB_USER_NAME" + --annotations "com.gitlab.ci.pipeline.id=$CI_PIPELINE_ID" + --annotations "com.gitlab.ci.pipeline.url=$CI_PIPELINE_URL" + --annotations "com.gitlab.ci.job.id=$CI_JOB_ID" + --annotations "com.gitlab.ci.job.url=$CI_JOB_URL" + --annotations "com.gitlab.ci.commit.sha=$CI_COMMIT_SHA" + --annotations "com.gitlab.ci.commit.ref.name=$CI_COMMIT_REF_NAME" + --annotations "com.gitlab.ci.runner.id=$CI_RUNNER_ID" + --annotations "com.gitlab.ci.runner.version=$CI_RUNNER_VERSION" + --annotations "com.gitlab.ci.job.started-at=$CI_JOB_STARTED_AT" + --annotations "com.gitlab.ci.registry.image=$docker_image" + --annotations "org.opencontainers.image.source=$CI_PROJECT_URL" + --annotations "org.opencontainers.image.revision=$CI_COMMIT_SHA" + --annotations "tag=$docker_tag" cosign-dist-url: description: |- Url to the `linux-amd64` binary of Cosign to use (ex: `https://github.com/sigstore/cosign/releases/download/v2.5.0/cosign-linux-amd64`) @@ -295,6 +313,7 @@ variables: COSIGN_YES: "true" # skip confirmation prompts for non-destructive operations DOCKER_COSIGN_STRATEGY: $[[ inputs.cosign-strategy ]] DOCKER_COSIGN_OPTS: $[[ inputs.cosign-opts ]] + DOCKER_COSIGN_ANNOTATIONS: $[[ inputs.cosign-annotations ]] DOCKER_COSIGN_ATTEST_OPTS: $[[ inputs.cosign-attest-opts ]] DOCKER_COSIGN_DIST_URL: $[[ inputs.cosign-dist-url ]] @@ -895,22 +914,7 @@ stages: # shellcheck disable=SC2154 log_info "Sign image ${docker_image_digest}" # shellcheck disable=SC2154,SC2086 - $docker_cosign sign $DOCKER_COSIGN_OPTS --key ${docker_cosign_private_key} \ - --annotations "gitlab.ci.project.path=https://$CI_SERVER_HOST/$CI_PROJECT_PATH" \ - --annotations "gitlab.ci.user.name=$GITLAB_USER_NAME" \ - --annotations "gitlab.ci.pipeline.name=$CI_PIPELINE_NAME" \ - --annotations "gitlab.ci.pipeline.id=$CI_PIPELINE_ID" \ - --annotations "gitlab.ci.pipeline.url=$CI_PIPELINE_URL" \ - --annotations "gitlab.ci.job.id=$CI_JOB_ID" \ - --annotations "gitlab.ci.job.url=$CI_JOB_URL" \ - --annotations "gitlab.ci.commit.sha=$CI_COMMIT_SHA" \ - --annotations "gitlab.ci.commit.ref.name=$CI_COMMIT_REF_NAME" \ - --annotations "gitlab.ci.runner.id=$CI_RUNNER_ID" \ - --annotations "gitlab.ci.runner.version=$CI_RUNNER_VERSION" \ - --annotations "gitlab.ci.time.startedOn=$CI_JOB_STARTED_AT" \ - --annotations "gitlab.ci.registry.image=$docker_image" \ - --annotations "tag=$docker_tag" \ - ${docker_image_digest} + echo $DOCKER_COSIGN_ANNOTATIONS | xargs $docker_cosign sign $DOCKER_COSIGN_OPTS --key ${docker_cosign_private_key} ${docker_image_digest} } # Used by containers tools like buildah, skopeo.