Verify Sigstore signature on project sync #14193
Draft
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
SUMMARY
Introduce Sigstore signature verification for projects on update as part of the roadmap for Sigstore integration in the Ansible ecosystem.
What is Sigstore?
This section is a short introduction to project Sigstore. For more information, refer to the project documentation.
Project Sigstore is a new standard for signing, verifying and protecting software that solves the following issues:
Key management: Sigstore solves the issue of private key storage and revocation by providing “keyless” signatures for software artifacts, eliminating the need for the user to store private GPG keys which could eventually become compromised.
Identity-based signatures: Sigstore generates free, short-lived signing certificates based on identities, delegating the authentication part to an OIDC provider (Google, GitHub, Microsoft…).
An immutable Transparency Log (Rekor) for signature and provenance attestations is used to store signature entries and facilitate verification and audits in case of identity compromise.
The Sigstore signature verification workflow for projects would exist in parallel with the current implementation for GPG signature verification.
Sigstore provides “keyless” signing for software artifacts, where a signer can connect to an OIDC provider and Sigstore will produce an ephemeral signing certificate and store a signature entry in an immutable transparency log queried during signature verification.
Changes introduced by this PR
This change allows to verify a project Sigstore signature, generated with ansible-sign (change to be supported in the CLI can be seen here) during a sync.
A new type of Credential
sigstore
is introduced to define the parameters for verifying a project signature:Here is an overview of the configuration options for this type of credential:
When launching a project sync, if enabled, the job will look for a checksums manifest and for Sigstore signature materials under
.ansible-sign/
and will succeed only if the signature was successfully verified:ISSUE TYPE
COMPONENT NAME
AWX VERSION