stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
4bdc298ec1fc821ee0d9dda6d2d4643dcedf6b35
git.stella-ops.org/docs/features/unchecked/signer/ci-cd-keyless-signing-workflow-templates.md

2.6 KiB
Raw Blame History

CI/CD Keyless Signing Workflow Templates (GitHub/GitLab/Gitea)

Module

Signer

Status

IMPLEMENTED

Description

Production-ready reusable CI/CD workflow templates for keyless signing integration across GitHub Actions (stellaops-sign.yml, stellaops-verify.yml), GitLab CI (.gitlab-ci-stellaops.yml), and Gitea. Enables zero-configuration OIDC-based keyless signing with identity verification gates and cross-platform signature verification.

Implementation Details

  • SigstoreSigningService: src/Signer/StellaOps.Signer/StellaOps.Signer.Infrastructure/Sigstore/SigstoreSigningService.cs -- orchestrates complete Sigstore keyless signing: (1) generate ephemeral ECDSA P-256 key pair, (2) compute SHA-256 artifact hash, (3) create proof-of-possession by signing OIDC token, (4) request certificate from Fulcio, (5) sign artifact with ephemeral key, (6) upload to Rekor transparency log; VerifyKeylessAsync validates signature, certificate, and Rekor entry timestamp
  • SigstoreServiceCollectionExtensions: src/Signer/StellaOps.Signer/StellaOps.Signer.Infrastructure/Sigstore/SigstoreServiceCollectionExtensions.cs -- DI registration for Sigstore services
  • SigstoreOptions: src/Signer/StellaOps.Signer/StellaOps.Signer.Infrastructure/Sigstore/SigstoreOptions.cs -- configurable Fulcio URL, Rekor URL, RequireRekorEntry flag, retry/backoff settings
  • SignerEndpoints: src/Signer/StellaOps.Signer/StellaOps.Signer.WebService/Endpoints/SignerEndpoints.cs -- signing API endpoints consumed by CI/CD workflow templates
  • AmbientOidcTokenProvider: src/Signer/__Libraries/StellaOps.Signer.Keyless/AmbientOidcTokenProvider.cs -- detects OIDC tokens from CI runner environment (GitHub Actions, GitLab CI, Gitea)
  • KeylessDsseSigner: src/Signer/__Libraries/StellaOps.Signer.Keyless/KeylessDsseSigner.cs -- DSSE signer used by workflow templates for in-toto statement signing
  • Source: SPRINT_20251226_004_BE_cicd_signing_templates.md

E2E Test Plan

  • Verify signing endpoint accepts OIDC identity token and returns signed DSSE envelope with certificate chain
  • Verify verification endpoint validates signature, certificate chain, and Rekor entry
  • Test ambient OIDC token detection for GitHub Actions, GitLab CI, and Gitea CI environments
  • Verify Rekor transparency log entry is created when RequireRekorEntry is enabled
  • Verify signing fails gracefully when Fulcio is unavailable (proper error response)
  • Test cross-platform signature verification: sign on GitHub Actions, verify on GitLab CI
  • Verify signed artifacts include proper in-toto statement format with subject digests