From 7abf3ee9d3e9add5984571fe891a24b2ebafbd39 Mon Sep 17 00:00:00 2001 From: Clement Bois Date: Tue, 2 Sep 2025 23:09:36 +0200 Subject: [PATCH 1/2] feat(cosign): add variable for annotations --- README.md | 1 + kicker.json | 6 ++++++ templates/gitlab-ci-docker.yml | 35 ++++++++++++++++++---------------- 3 files changed, 26 insertions(+), 16 deletions(-) diff --git a/README.md b/README.md index 2a2078e..e6ee781 100644 --- a/README.md +++ b/README.md @@ -246,6 +246,7 @@ The signing process can be configured with the following variables: | `cosign-opts` / `DOCKER_COSIGN_OPTS` | Options for [`cosign sign`](https://docs.sigstore.dev/cosign/signing/signing_with_containers/) command | `--tlog-upload=false --recursive` | | `cosign-attest-opts` / `DOCKER_COSIGN_ATTEST_OPTS` | Options for [`cosign attest`](https://docs.sigstore.dev/cosign/verifying/attestation/) command | `--tlog-upload=false` | +| `cosign-annotations` / `DOCKER_COSIGN_ANNOTATIONS` | Additional annotations to add to the signature | GitLab build provenance data | | `cosign-dist-url` / `DOCKER_COSIGN_DIST_URL` | Url to the `linux-amd64` binary of Cosign to use (ex: `https://github.com/sigstore/cosign/releases/download/v2.5.0/cosign-linux-amd64`)
_When unset, the latest version will be used_ | _none_ | | :lock: `cosign-private-key` / `DOCKER_COSIGN_PRIVATE_KEY` | Private key used for signing the Docker image and the attestation | _none_ | | :lock: `cosign-password` / `COSIGN_PASSWORD` | Password of the private key | _none_ | diff --git a/kicker.json b/kicker.json index b8071b4..74d252a 100644 --- a/kicker.json +++ b/kicker.json @@ -241,6 +241,12 @@ "default": "--tlog-upload=false", "advanced": true }, + { + "name": "DOCKER_COSIGN_ANNOTATIONS", + "description": "Additional annotations to add to the signature", + "default": "--annotations \"gitlab.ci.project.path=https://$CI_SERVER_HOST/$CI_PROJECT_PATH\" --annotations \"gitlab.ci.user.name=$GITLAB_USER_NAME\" --annotations \"gitlab.ci.pipeline.name=$CI_PIPELINE_NAME\" --annotations \"gitlab.ci.pipeline.id=$CI_PIPELINE_ID\" --annotations \"gitlab.ci.pipeline.url=$CI_PIPELINE_URL\" --annotations \"gitlab.ci.job.id=$CI_JOB_ID\" --annotations \"gitlab.ci.job.url=$CI_JOB_URL\" --annotations \"gitlab.ci.commit.sha=$CI_COMMIT_SHA\" --annotations \"gitlab.ci.commit.ref.name=$CI_COMMIT_REF_NAME\" --annotations \"gitlab.ci.runner.id=$CI_RUNNER_ID\" --annotations \"gitlab.ci.runner.version=$CI_RUNNER_VERSION\" --annotations \"gitlab.ci.time.startedOn=$CI_JOB_STARTED_AT\" --annotations \"gitlab.ci.registry.image=$docker_image\" --annotations \"tag=$docker_tag\"", + "advanced": true + }, { "name": "DOCKER_COSIGN_DIST_URL", "description": "Url to the `linux-amd64` binary of Cosign to use\n\n_When unset, the latest version will be used_", diff --git a/templates/gitlab-ci-docker.yml b/templates/gitlab-ci-docker.yml index 919ab23..db3a196 100644 --- a/templates/gitlab-ci-docker.yml +++ b/templates/gitlab-ci-docker.yml @@ -185,6 +185,23 @@ spec: cosign-attest-opts: description: Options for [`cosign attest`](https://docs.sigstore.dev/cosign/verifying/attestation/) command default: --tlog-upload=false + cosign-annotations: + description: Additional annotations to add to the signature + default: >- + --annotations "gitlab.ci.project.path=https://$CI_SERVER_HOST/$CI_PROJECT_PATH" + --annotations "gitlab.ci.user.name=$GITLAB_USER_NAME" + --annotations "gitlab.ci.pipeline.name=$CI_PIPELINE_NAME" + --annotations "gitlab.ci.pipeline.id=$CI_PIPELINE_ID" + --annotations "gitlab.ci.pipeline.url=$CI_PIPELINE_URL" + --annotations "gitlab.ci.job.id=$CI_JOB_ID" + --annotations "gitlab.ci.job.url=$CI_JOB_URL" + --annotations "gitlab.ci.commit.sha=$CI_COMMIT_SHA" + --annotations "gitlab.ci.commit.ref.name=$CI_COMMIT_REF_NAME" + --annotations "gitlab.ci.runner.id=$CI_RUNNER_ID" + --annotations "gitlab.ci.runner.version=$CI_RUNNER_VERSION" + --annotations "gitlab.ci.time.startedOn=$CI_JOB_STARTED_AT" + --annotations "gitlab.ci.registry.image=$docker_image" + --annotations "tag=$docker_tag" cosign-dist-url: description: |- Url to the `linux-amd64` binary of Cosign to use (ex: `https://github.com/sigstore/cosign/releases/download/v2.5.0/cosign-linux-amd64`) @@ -295,6 +312,7 @@ variables: COSIGN_YES: "true" # skip confirmation prompts for non-destructive operations DOCKER_COSIGN_STRATEGY: $[[ inputs.cosign-strategy ]] DOCKER_COSIGN_OPTS: $[[ inputs.cosign-opts ]] + DOCKER_COSIGN_ANNOTATIONS: $[[ inputs.cosign-annotations ]] DOCKER_COSIGN_ATTEST_OPTS: $[[ inputs.cosign-attest-opts ]] DOCKER_COSIGN_DIST_URL: $[[ inputs.cosign-dist-url ]] @@ -895,22 +913,7 @@ stages: # shellcheck disable=SC2154 log_info "Sign image ${docker_image_digest}" # shellcheck disable=SC2154,SC2086 - $docker_cosign sign $DOCKER_COSIGN_OPTS --key ${docker_cosign_private_key} \ - --annotations "gitlab.ci.project.path=https://$CI_SERVER_HOST/$CI_PROJECT_PATH" \ - --annotations "gitlab.ci.user.name=$GITLAB_USER_NAME" \ - --annotations "gitlab.ci.pipeline.name=$CI_PIPELINE_NAME" \ - --annotations "gitlab.ci.pipeline.id=$CI_PIPELINE_ID" \ - --annotations "gitlab.ci.pipeline.url=$CI_PIPELINE_URL" \ - --annotations "gitlab.ci.job.id=$CI_JOB_ID" \ - --annotations "gitlab.ci.job.url=$CI_JOB_URL" \ - --annotations "gitlab.ci.commit.sha=$CI_COMMIT_SHA" \ - --annotations "gitlab.ci.commit.ref.name=$CI_COMMIT_REF_NAME" \ - --annotations "gitlab.ci.runner.id=$CI_RUNNER_ID" \ - --annotations "gitlab.ci.runner.version=$CI_RUNNER_VERSION" \ - --annotations "gitlab.ci.time.startedOn=$CI_JOB_STARTED_AT" \ - --annotations "gitlab.ci.registry.image=$docker_image" \ - --annotations "tag=$docker_tag" \ - ${docker_image_digest} + echo $DOCKER_COSIGN_ANNOTATIONS | xargs $docker_cosign sign $DOCKER_COSIGN_OPTS --key ${docker_cosign_private_key} ${docker_image_digest} } # Used by containers tools like buildah, skopeo. -- GitLab From 4bd548ebbe26d5a55e4aa2606e23d48e75b70fcd Mon Sep 17 00:00:00 2001 From: Clement Bois Date: Wed, 17 Sep 2025 15:21:09 +0200 Subject: [PATCH 2/2] fix(cosign): use reverse domain notation for annotations --- kicker.json | 2 +- templates/gitlab-ci-docker.yml | 27 ++++++++++++++------------- 2 files changed, 15 insertions(+), 14 deletions(-) diff --git a/kicker.json b/kicker.json index 74d252a..3d443d8 100644 --- a/kicker.json +++ b/kicker.json @@ -244,7 +244,7 @@ { "name": "DOCKER_COSIGN_ANNOTATIONS", "description": "Additional annotations to add to the signature", - "default": "--annotations \"gitlab.ci.project.path=https://$CI_SERVER_HOST/$CI_PROJECT_PATH\" --annotations \"gitlab.ci.user.name=$GITLAB_USER_NAME\" --annotations \"gitlab.ci.pipeline.name=$CI_PIPELINE_NAME\" --annotations \"gitlab.ci.pipeline.id=$CI_PIPELINE_ID\" --annotations \"gitlab.ci.pipeline.url=$CI_PIPELINE_URL\" --annotations \"gitlab.ci.job.id=$CI_JOB_ID\" --annotations \"gitlab.ci.job.url=$CI_JOB_URL\" --annotations \"gitlab.ci.commit.sha=$CI_COMMIT_SHA\" --annotations \"gitlab.ci.commit.ref.name=$CI_COMMIT_REF_NAME\" --annotations \"gitlab.ci.runner.id=$CI_RUNNER_ID\" --annotations \"gitlab.ci.runner.version=$CI_RUNNER_VERSION\" --annotations \"gitlab.ci.time.startedOn=$CI_JOB_STARTED_AT\" --annotations \"gitlab.ci.registry.image=$docker_image\" --annotations \"tag=$docker_tag\"", + "default": "--annotations \"com.gitlab.ci.project.path=$CI_PROJECT_URL\" --annotations \"com.gitlab.ci.user.name=$GITLAB_USER_NAME\" --annotations \"com.gitlab.ci.pipeline.id=$CI_PIPELINE_ID\" --annotations \"com.gitlab.ci.pipeline.url=$CI_PIPELINE_URL\" --annotations \"com.gitlab.ci.job.id=$CI_JOB_ID\" --annotations \"com.gitlab.ci.job.url=$CI_JOB_URL\" --annotations \"com.gitlab.ci.commit.sha=$CI_COMMIT_SHA\" --annotations \"com.gitlab.ci.commit.ref.name=$CI_COMMIT_REF_NAME\" --annotations \"com.gitlab.ci.runner.id=$CI_RUNNER_ID\" --annotations \"com.gitlab.ci.runner.version=$CI_RUNNER_VERSION\" --annotations \"com.gitlab.ci.job.started-at=$CI_JOB_STARTED_AT\" --annotations \"com.gitlab.ci.registry.image=$docker_image\" --annotations \"org.opencontainers.image.source=$CI_PROJECT_URL\" --annotations \"org.opencontainers.image.revision=$CI_COMMIT_SHA\" --annotations \"tag=$docker_tag\"", "advanced": true }, { diff --git a/templates/gitlab-ci-docker.yml b/templates/gitlab-ci-docker.yml index db3a196..3c9ab03 100644 --- a/templates/gitlab-ci-docker.yml +++ b/templates/gitlab-ci-docker.yml @@ -188,19 +188,20 @@ spec: cosign-annotations: description: Additional annotations to add to the signature default: >- - --annotations "gitlab.ci.project.path=https://$CI_SERVER_HOST/$CI_PROJECT_PATH" - --annotations "gitlab.ci.user.name=$GITLAB_USER_NAME" - --annotations "gitlab.ci.pipeline.name=$CI_PIPELINE_NAME" - --annotations "gitlab.ci.pipeline.id=$CI_PIPELINE_ID" - --annotations "gitlab.ci.pipeline.url=$CI_PIPELINE_URL" - --annotations "gitlab.ci.job.id=$CI_JOB_ID" - --annotations "gitlab.ci.job.url=$CI_JOB_URL" - --annotations "gitlab.ci.commit.sha=$CI_COMMIT_SHA" - --annotations "gitlab.ci.commit.ref.name=$CI_COMMIT_REF_NAME" - --annotations "gitlab.ci.runner.id=$CI_RUNNER_ID" - --annotations "gitlab.ci.runner.version=$CI_RUNNER_VERSION" - --annotations "gitlab.ci.time.startedOn=$CI_JOB_STARTED_AT" - --annotations "gitlab.ci.registry.image=$docker_image" + --annotations "com.gitlab.ci.project.path=$CI_PROJECT_URL" + --annotations "com.gitlab.ci.user.name=$GITLAB_USER_NAME" + --annotations "com.gitlab.ci.pipeline.id=$CI_PIPELINE_ID" + --annotations "com.gitlab.ci.pipeline.url=$CI_PIPELINE_URL" + --annotations "com.gitlab.ci.job.id=$CI_JOB_ID" + --annotations "com.gitlab.ci.job.url=$CI_JOB_URL" + --annotations "com.gitlab.ci.commit.sha=$CI_COMMIT_SHA" + --annotations "com.gitlab.ci.commit.ref.name=$CI_COMMIT_REF_NAME" + --annotations "com.gitlab.ci.runner.id=$CI_RUNNER_ID" + --annotations "com.gitlab.ci.runner.version=$CI_RUNNER_VERSION" + --annotations "com.gitlab.ci.job.started-at=$CI_JOB_STARTED_AT" + --annotations "com.gitlab.ci.registry.image=$docker_image" + --annotations "org.opencontainers.image.source=$CI_PROJECT_URL" + --annotations "org.opencontainers.image.revision=$CI_COMMIT_SHA" --annotations "tag=$docker_tag" cosign-dist-url: description: |- -- GitLab