Spike: Explore how we can manage keys for making attestations

[Racer159]

Is your feature request related to a problem? Please describe.

We need to determine an easy way to manage / provide keys to allow workload attestations to work within our SWF pipelines - this will target the in-toto specification (with witness as the underlying tooling to start - this may eventually be vendored directly into Maru).

Describe the solution you'd like

• Given I have a workload in a GitLab runner that I would like to create an attestation for
• When that workload runs
• Then an attestation is able to be generated with minimal user input

Describe alternatives you've considered

We could avoid attestations / in-toto but there is a lot of nice auditing capabilities that we would be missing out on without it.

Additional context

SPIFFE / SPIRE is a likely candidate for implementing this though an ADR should be created that outlines our selection.

[Racer159]

After some investigation leaning towards sigstore - if this is easy enough to airgap deploy we could use it for signing lots of stuff - including users signing things (not just workloads)

[Racer159]

Blocked on decisions around:

https://github.com/defenseunicorns/uds-core/issues/509 https://github.com/defenseunicorns/uds-identity-config/issues/115