Open mayaCostantini opened 1 year ago
This is the wrong repo for the ansible-galaxy
tool. Please file feature requests/issues for it in https://github.com/ansible/ansible where it is maintained. This repo is for https://galaxy.ansible.com/ (which will probably be replaced by https://github.com/ansible/galaxy_ng/ soon).
Feature Request
Use Case
As a user of
ansible-galaxy
, I would like to be able to verify that signatures produced by Sigstore are valid before uploading a collection to an Ansible repository.Proposed Solution
What is Sigstore? Sigstore is a new standard for signing, verifying and protecting software. It allows developers to sign artifacts using a self-managed key pair or using a "keyless" signing flow and to store signing materials in a tamper-resistant transparency log.
This feature proposal is part of the work in progress to integrate Sigstore signing and verification capabilities into the Ansible ecosystem. It will allow users and consumers of Ansible content to securely sign and verify artifacts and reinforce their supply chain security.
How does Sigstore work? Sigstore enables developers to sign their artifacts using a "keyless" signing flow, which removes the need for them to manage private keys and sign using an OpenID Connect identity. Signatures are logged into an append-only, immutable transparency log for verification. The Sigstore community maintains a public good instance of Sigstore anyone can sign and verify against.
Proposed solution overview As it is currently the case for GPG signatures, add command line options to the
ansible-galaxy collection install
subcommand to verify Sigstore signatures. The proposed options would be similar to the ones soon present inansible-sign
(and in the upstreamsigstore-python
library command line).Example usage:
In the command above,
ansible-galaxy
verifies that a collection signature is valid and that the signing certificate contains the correct signer identity (email)collectionsigner@example.com
that comes from the expected identity issuerhttps://github.com/login/oauth
.Implementation
Sigstore signing standard for collections As already proposed by the implementation of this feature in
ansible-sign
, the Sigstore signing process for a collection would be the following:sha256sum.txt
file under the collection.ansible-sign/
directory containing the checksums of all the files present in theMANIFEST.in
filesha256sum.txt
using Sigsore. The outputs produced include a signature file (sha256sum.txt.sig
), a signing certificate (sha256sum.txt.crt
) and a Sigstore bundle (sha256sum.txt.sigstore
).This way, the following steps would be required for
ansible-galaxy
to verify a collection signature:sha256sum.txt
file contents and checksums correspond to the ones fromMANIFEST.in
to ensure the collection integrity.ansible-sign
and verify it comes from the expected signer and identity provider by checking the signing certificate.See also the current implementation in this ansible-sign pull request and the verification options provided by the
sigstore-python
command line utility.Unless disabled (for example with a
--disable-sigstore-verify
flag), failing to verify a collection signature would block the collection installation.