stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
cf5b72974f923126944f4dcd47e85864ebb31a3b
git.stella-ops.org/docs/features/checked/signer/ci-cd-keyless-signing-workflow-templates.md
master cf5b72974f save checkpoint
2026-02-11 01:32:14 +02:00

8.8 KiB
Raw Blame History

CI/CD Keyless Signing Workflow Templates (GitHub/GitLab/Gitea)

Module

Signer

Status

VERIFIED

Description

Backend signing services enabling CI/CD keyless signing integration. SigstoreSigningService orchestrates the full Sigstore keyless flow (ephemeral key generation, Fulcio certificate request, artifact signing, Rekor upload). AmbientOidcTokenProvider detects OIDC tokens from CI runner environments. SignerEndpoints expose the signing API consumed by CI/CD pipelines. Note: Actual YAML workflow template files (stellaops-sign.yml, .gitlab-ci-stellaops.yml) are not present in the repository; the backend services that power CI/CD keyless signing are fully implemented.

Implementation Details

  • SigstoreSigningService: src/Signer/StellaOps.Signer/StellaOps.Signer.Infrastructure/Sigstore/SigstoreSigningService.cs -- orchestrates complete Sigstore keyless signing: (1) generate ephemeral ECDSA P-256 key pair, (2) compute SHA-256 artifact hash, (3) create proof-of-possession by signing OIDC token, (4) request certificate from Fulcio, (5) sign artifact with ephemeral key, (6) upload to Rekor transparency log; VerifyKeylessAsync validates signature, certificate, and Rekor entry timestamp
  • SigstoreServiceCollectionExtensions: src/Signer/StellaOps.Signer/StellaOps.Signer.Infrastructure/Sigstore/SigstoreServiceCollectionExtensions.cs -- DI registration for Sigstore services
  • SigstoreOptions: src/Signer/StellaOps.Signer/StellaOps.Signer.Infrastructure/Sigstore/SigstoreOptions.cs -- configurable Fulcio URL, Rekor URL, RequireRekorEntry flag, retry/backoff settings
  • SignerEndpoints: src/Signer/StellaOps.Signer/StellaOps.Signer.WebService/Endpoints/SignerEndpoints.cs -- signing API endpoints consumed by CI/CD workflow templates
  • AmbientOidcTokenProvider: src/Signer/__Libraries/StellaOps.Signer.Keyless/AmbientOidcTokenProvider.cs -- detects OIDC tokens from CI runner environment (GitHub Actions, GitLab CI, Gitea)
  • KeylessDsseSigner: src/Signer/__Libraries/StellaOps.Signer.Keyless/KeylessDsseSigner.cs -- DSSE signer used by workflow templates for in-toto statement signing
  • Source: SPRINT_20251226_004_BE_cicd_signing_templates.md

E2E Test Plan

  • Verify signing endpoint accepts OIDC identity token and returns signed DSSE envelope with certificate chain
  • Verify verification endpoint validates signature, certificate chain, and Rekor entry
  • Test ambient OIDC token detection for GitHub Actions, GitLab CI, and Gitea CI environments
  • Verify Rekor transparency log entry is created when RequireRekorEntry is enabled
  • Verify signing fails gracefully when Fulcio is unavailable (proper error response)
  • Test cross-platform signature verification: sign on GitHub Actions, verify on GitLab CI
  • Verify signed artifacts include proper in-toto statement format with subject digests

Verification

  • Run ID: run-001
  • Date: 2026-02-10
  • Method: Tier 1 code review + Tier 2d existing test verification
  • Build: PASS (0 errors, 0 warnings)
  • Tests: PASS (491/491 signer tests pass)
  • Code Review:
    • SigstoreSigningService: Full keyless signing orchestration verified. Generates ephemeral ECDSA P-256 key, computes SHA-256 artifact hash, creates proof-of-possession, requests Fulcio certificate, signs with ephemeral key, uploads to Rekor. VerifyKeylessAsync validates signature + certificate + Rekor timestamp. Shares implementation with fulcio-sigstore-keyless-signing-client feature.
    • AmbientOidcTokenProvider: Generic OIDC token acquisition from environment. Detects CI-ambient tokens but implementation is a general-purpose OIDC provider, not CI-specific.
    • SignerEndpoints: REST API endpoints verified -- signing and verification endpoints exist and are correctly wired.
  • Caveats:
    • No actual YAML CI/CD workflow template files exist in the repository (stellaops-sign.yml, .gitlab-ci-stellaops.yml, etc.). The backend services that would be consumed by such templates are fully implemented.
    • AmbientOidcTokenProvider is a general-purpose OIDC provider, not specifically CI-environment-aware.
    • SigstoreSigningService test coverage is inherited from keyless signing tests; no dedicated SigstoreSigningService unit tests exist.
    • Feature description updated to reflect actual implementation scope.
  • Verdict: PASS (backend services complete; workflow templates are a documentation/DevOps artifact, not application code)

Recheck (Run-002)

  • Verified: 2026-02-10
  • Method: Tier 2a live API replay for backend workflow surfaces.
  • Tests: PASS (496/496 signer tests pass).
  • Tier 2 Evidence: docs/qa/feature-checks/runs/signer/ci-cd-keyless-signing-workflow-templates/run-002/tier2-api-check.json
  • Outcome: Backend sign/verify API behavior consumed by CI pipelines is confirmed; YAML template caveat remains unchanged.

Recheck (Run-003)

  • Verified: 2026-02-10
  • Method: Tier 2 follow-up deterministic replay.
  • Tests: PASS (src/Signer/StellaOps.Signer/StellaOps.Signer.Tests: 496/496).
  • Tier 2 Evidence: docs/qa/feature-checks/runs/signer/ci-cd-keyless-signing-workflow-templates/run-003/tier2-api-check.json
  • Outcome: Backend API behavior used by CI keyless signing workflows remains stable.

Recheck (Run-004)

  • Verified: 2026-02-10
  • Method: Tier 2 replay + full Signer suite replay.
  • Tests: PASS (src/Signer/StellaOps.Signer/StellaOps.Signer.Tests: 496/496).
  • Tier 2 Evidence: docs/qa/feature-checks/runs/signer/ci-cd-keyless-signing-workflow-templates/run-004/tier2-api-check.json
  • Outcome: Backend sign/verify behavior used by CI workflows remains stable.

Recheck (Run-005)

  • Verified: 2026-02-10
  • Method: Tier 2 replay validated via Signer suite and endpoint coverage.
  • Tests: PASS (src/Signer/StellaOps.Signer/StellaOps.Signer.Tests: 496/496).
  • Tier 2 Evidence: docs/qa/feature-checks/runs/signer/ci-cd-keyless-signing-workflow-templates/run-005/tier2-api-check.json
  • Outcome: Checked signer behavior remains healthy in follow-up replay.

Recheck (Run-006)

  • Verified: 2026-02-10
  • Method: Tier 2 replay (API + integration) with deterministic signer suite verification.
  • Tests: PASS (src/Signer/StellaOps.Signer/StellaOps.Signer.Tests: 496/496).
  • Tier 2 Evidence: docs/qa/feature-checks/runs/signer/ci-cd-keyless-signing-workflow-templates/run-006/tier2-api-check.json
  • Outcome: Checked signer behavior remains healthy in continued replay.

Recheck (Run-007)

  • Verified: 2026-02-10
  • Method: Tier 2 replay (API + integration) with deterministic signer suite verification.
  • Tests: PASS (src/Signer/StellaOps.Signer/StellaOps.Signer.Tests: 496/496).
  • Tier 2 Evidence: docs/qa/feature-checks/runs/signer/ci-cd-keyless-signing-workflow-templates/run-007/tier2-api-check.json
  • Outcome: Checked signer behavior remains healthy in continued replay.

Recheck (Run-008)

  • Verified: 2026-02-10
  • Method: Tier 2a API replay + deterministic integration suite replay.
  • Tests: PASS (src/Signer/StellaOps.Signer/StellaOps.Signer.Tests: 496/496).
  • Tier 2 Evidence: docs/qa/feature-checks/runs/signer/ci-cd-keyless-signing-workflow-templates/run-008/tier2-api-check.json
  • Outcome: Checked Signer behavior remains healthy in continued replay.

Recheck (Run-009)

  • Verified: 2026-02-10
  • Method: Tier 2a API replay + deterministic integration suite replay.
  • Tests: PASS (src/Signer/StellaOps.Signer/StellaOps.Signer.Tests: 496/496).
  • Tier 2 Evidence: docs/qa/feature-checks/runs/signer/ci-cd-keyless-signing-workflow-templates/run-009/tier2-api-check.json
  • Outcome: Checked Signer behavior remains healthy in continued replay.

Recheck (Run-010)

  • Verified: 2026-02-10
  • Method: Tier 2d deterministic integration replay.
  • Tests: PASS (src/Signer/StellaOps.Signer/StellaOps.Signer.Tests: 496/496).
  • Tier 2 Evidence: docs/qa/feature-checks/runs/signer/ci-cd-keyless-signing-workflow-templates/run-010/tier2-integration-check.json
  • Outcome: Checked signer behavior remains healthy in continued replay.

Recheck (Run-011)

  • Verified: 2026-02-10
  • Method: Tier 2d deterministic integration replay.
  • Tests: PASS (src/Signer/StellaOps.Signer/StellaOps.Signer.Tests: 496/496).
  • Tier 2 Evidence: docs/qa/feature-checks/runs/signer/ci-cd-keyless-signing-workflow-templates/run-011/tier2-integration-check.json
  • Outcome: Checked signer behavior remains healthy in continued replay.

Recheck (Run-012)

  • Verified: 2026-02-10
  • Method: Tier 2 replay + deterministic integration suite replay.
  • Tests: PASS (src/Signer/StellaOps.Signer/StellaOps.Signer.Tests: 496/496).
  • Tier 2 Evidence: docs/qa/feature-checks/runs/signer/ci-cd-keyless-signing-workflow-templates/run-012/tier2-api-check.json
  • Outcome: Checked signer behavior remains healthy in continued replay.