Verify Sigstore signatures for a collection on installation

[mayaCostantini]

Feature Request

Use Case

As a user of ansible-galaxy, I would like to be able to verify that signatures produced by Sigstore are valid before uploading a collection to an Ansible repository.

Proposed Solution

What is Sigstore? Sigstore is a new standard for signing, verifying and protecting software. It allows developers to sign artifacts using a self-managed key pair or using a "keyless" signing flow and to store signing materials in a tamper-resistant transparency log.

This feature proposal is part of the work in progress to integrate Sigstore signing and verification capabilities into the Ansible ecosystem. It will allow users and consumers of Ansible content to securely sign and verify artifacts and reinforce their supply chain security.

How does Sigstore work? Sigstore enables developers to sign their artifacts using a "keyless" signing flow, which removes the need for them to manage private keys and sign using an OpenID Connect identity. Signatures are logged into an append-only, immutable transparency log for verification. The Sigstore community maintains a public good instance of Sigstore anyone can sign and verify against.

Proposed solution overview As it is currently the case for GPG signatures, add command line options to the ansible-galaxy collection install subcommand to verify Sigstore signatures. The proposed options would be similar to the ones soon present in ansible-sign (and in the upstream sigstore-python library command line).

Example usage:

ansible-galaxy collection install $COLLECTION -s $REPOSITORY_ADDR --cert-identity=collectionsigner@example.com --cert-oidc-issuer=https://github.com/login/oauth

In the command above, ansible-galaxy verifies that a collection signature is valid and that the signing certificate contains the correct signer identity (email) collectionsigner@example.com that comes from the expected identity issuer https://github.com/login/oauth.

Implementation

Sigstore signing standard for collections As already proposed by the implementation of this feature in ansible-sign, the Sigstore signing process for a collection would be the following:

• Generate a sha256sum.txt file under the collection .ansible-sign/ directory containing the checksums of all the files present in the MANIFEST.in file
• Sign sha256sum.txt using Sigsore. The outputs produced include a signature file (sha256sum.txt.sig), a signing certificate (sha256sum.txt.crt) and a Sigstore bundle (sha256sum.txt.sigstore).

This way, the following steps would be required for ansible-galaxy to verify a collection signature:

• Verify that the sha256sum.txt file contents and checksums correspond to the ones from MANIFEST.in to ensure the collection integrity
• Validate the signature with Sigstore using the signature materials under .ansible-sign and verify it comes from the expected signer and identity provider by checking the signing certificate.

See also the current implementation in this ansible-sign pull request and the verification options provided by the sigstore-python command line utility.

Unless disabled (for example with a --disable-sigstore-verify flag), failing to verify a collection signature would block the collection installation.

[s-hertel]

This is the wrong repo for the ansible-galaxy tool. Please file feature requests/issues for it in https://github.com/ansible/ansible where it is maintained. This repo is for https://galaxy.ansible.com/ (which will probably be replaced by https://github.com/ansible/galaxy_ng/ soon).