znewman01
commented
1 year ago Seems reasonable!
Open jas4711 opened 1 year ago
znewman01
commented
1 year ago Seems reasonable!
rnjudge
commented
1 year ago @znewman01 is this something I could work on?
Additionally, is this only for gitlab or should this apply to github key pairs as well?
znewman01
commented
1 year ago That would be great @rnjudge ! Thanks 🙂
Additionally, is this only for gitlab or should this apply to github key pairs as well?
Good call. I think the analog in GitHub would be organization secrets. That seems useful to me!
cpanato
commented
1 year ago +1 on the organization secrets for github, but i think this will be another PR
vishal-chdhry
commented
1 year ago Hi @rnjudge! May I give this a try if you are not working on this anymore?
robertohueso
commented
1 month ago Hi :smile: It's been some time since the last comment on this issue, I'll work on this
remkolems
commented
1 week ago @robertohueso Thanks for doing this. This is a follow-up and FYI. BTW If you need help with testing and debugging, drop me a message.
As of this moment I'm testing out cosign within a GitLab pipeline and Harbor as container registry. For now all docker-compose based.
I initially created project level COSIGN variables within GitLab on a self-hosted instance. Worked out great.
As more projects came along for signing container images, I copied those same variables as a test use case to the main group and deleted the project level variables. Within GitLab those main group cosign variables are now inherited to all projects and/or subgroups.
But using 'cosign sign -y --key gitlab://${PROJECTID} "$IMAGE_W_DIGEST"' within the pipeline of project within a subgroup - inherited group variables are visible - cosign returns the following error:
# 324 is the project id. Test done with group id, also same error.
Error: signing [reg.<own-domain>.com/library/dnsmasq@sha256:34b9a5c7321cfcd1d1e1111049ee15916b7bb2d1de7d840aeebc060bcf1796a9]: getting signer: reading key: could not retrieve "COSIGN_PUBLIC_KEY" variable: GET https://git.<own-domain>.com/api/v4/projects/324/variables/COSIGN_PRIVATE_KEY: 404 {message: 404 Variable Not Found} # part of pipeline job
..
variables:
..
COSIGN_YES: "true" # Automatically confirm actions in Cosign without user interaction
FF_SCRIPT_SECTIONS: "true" # Enables GitLab's CI script sections for better multi-line script
..
before_script:
# https://docs.sigstore.dev/cosign/system_config/installation/#alpine-linux
- apk add --no-cache --update curl jq
- echo "Installing cosign binary"
- curl -O -L "https://github.com/sigstore/cosign/releases/latest/download/cosign-linux-amd64"
- mv cosign-linux-amd64 /usr/local/bin/cosign
- chmod +x /usr/local/bin/cosign
- cosign version
script:
- export COSIGN_PASSWORD=${COSIGN_PASSWORD}
- export GITLAB_TOKEN=${COSIGN_PAT}
- export GITLAB_HOST=${CI_API_V4_URL}
#
# https://github.com/sigstore/cosign/issues/2914 "Please support group variables on GitLab"
#
- |
cosign sign -y --key gitlab://${PROJECTID} "$IMAGE_W_DIGEST" \
--annotations "com.gitlab.ci.project.name=$CI_PROJECT_NAME" \
--annotations "tag=$IMAGE_TAG"Inspiration from:
Hi. Using
cosign generate-key-pair gitlab://foo/barworks fine if the destination is a project, but it seems useful to also generate keys and set the variables for a group, so the variables are reachable for all sub-groups.Compare this successful run:
With the following failing run:
I would want the second command to populate variables for that sub-group.
Thank you!