Trusted publishing: Support for CircleCI

[di]

Per https://circleci.com/docs/api/v2/index.html#tag/OIDC-Token-Management, CircleCI now supports a customizable aud claim which means we could support it as a trusted publisher.

This is likely blocked on https://github.com/pypi/warehouse/issues/13887 given that OIDC tokens from CircleCI might be intentionally shared across multiple third party providers.

[dstufft]

It also sounds like we shouldn't support CircleCI currently?

Even if we resolve https://github.com/pypi/warehouse/issues/13887 so that we verify that aud is only our audiences, from https://github.com/sigstore/fulcio/issues/591#issuecomment-1579417445 it sounds like CircleCI only lets you have a single OIDC token, which means that you only have a single set of audiences per workflow.

I think that means if we restrict aud to only be PyPI, then they cannot auth that workflow with OIDC anywhere else, because they only get the one token. It feels janky to support a provider where we would have to expect to be the only thing that authenticates with OIDC? At least I can assume that we will very quickly get an issue asking us to relax the aud requirements because someone wants to auth to two things from the same workflow.

[di]

Maybe? Although I think partial support for users that are able to just restrict to our audience would probably be better than no support at all.

[dstufft]

I'm personally torn on it, which is why I brought it up.

My biggest concern is this would mean that it is impossible to use PyPI and sigstore together (though afaict sigstore isn't planning to support CircleCI until the shared list of audiences problem is addressed, so the question might be largely academic), which I think Trusted Publishes + sigstore is going to be our best in class solution for security in the future, so it feels kind of meh to support a platform that can't support what is likely to be our golden path?

That being said, there's nothing inherently broken about it, so if people think it's worthwhile that's fine. I'm just worried about the fragility of a solution that relies on being the only thing someone wants to authenticate against.

[jbialy]

Hi @di and @dstufft,

I wanted to post an update that CircleCI has recently rolled out support for generating ID token with custom audience claim at the job/step level. This unblocks anyone who needs a token restricted to a single audience and gets around the limitation of having to share multiple audiences in a single pipeline token.

We've also added a reply in the original sigstore issue https://github.com/sigstore/fulcio/issues/591#issuecomment-1831318416.

[woodruffw]

Thanks @jbialy! I believe this fully unblocks things here; we've made corresponding changes in id here: https://github.com/di/id/pull/144