haydentherapper
commented
1 month ago Could you say more about the need for multiple SANs? Conceptually, there should be only one signing identity - a user or a CI platform.
The certificate profile states that only one SAN is present, and all Sigstore clients currently assume this, so this would be quite a significant change in the ecosystem.
We need to add two values as SAN when integrating with Gitlab: 1) ci_config_ref_uri 2) user_email
This is necessary so that the policy controller can create flexible ClusterImagePolicy. Mono repositories can have different projects and even different teams. We need to check both the validity of ci_config_ref_uri and the validity of user_email when delivering the image