GitLab CI
Cimon Attest
In GitLab CI, Cimon Attest is performed using the CLI. In the first step, you must install Cimon CLI and then attest the artifact that is created.
- Unsigned
- Signed with Key Pair
- Keyless Signing
unsigned_provenance:
before_script: |
# Download Cimon
curl -sSfL https://cimon-releases.s3.amazonaws.com/install.sh | sh
script: |
# Build Artifacts
mkdir dist
echo artifact1 > dist/artifact1
echo artifact2 > dist/artifact2
# Cimon Attest
./bin/cimon attest generate-and-sign \
--client-id $CIMON_CLIENT_ID --secret $CIMON_SECRET \
--subjects "dist/artifact1 dist/artifact2"
after_script: |
# Print Provenance
cat provenance.intoto.jsonl
Explanation:
# Download Cimon
curl -sSfL https://cimon-releases.s3.amazonaws.com/install.sh | sh
Installing Cimon tooling. More info for installation options can be found in CLI integration page.
# Build Artifacts
mkdir dist
echo artifact1 > dist/artifact1
echo artifact2 > dist/artifact2
Creating artifacts. This is build-specific, and we just used stub artifacts for the process demonstration.
# Cimon Attest
./bin/cimon attest generate-and-sign \
--client-id $CIMON_CLIENT_ID --secret $CIMON_SECRET \
--subjects "dist/artifact1 dist/artifact2"
Attesting the artifacts given through input variables. These can be configured through the CLI parameters.
# Print Provenance
cat provenance.intoto.jsonl
Printing the attestation according to the default path. This can be configured through the CLI parameters.
signed_provenance:
before_script: |
# Download Cimon
curl -sSfL https://cimon-releases.s3.amazonaws.com/install.sh | sh
script: |
# Build Artifacts
mkdir dist
echo artifact1 > dist/artifact1
echo artifact2 > dist/artifact2
# Generate Sign Key
openssl genrsa -out private-key.pem 3072
# Cimon Attest
./bin/cimon attest generate-and-sign \
--client-id $CIMON_CLIENT_ID --secret $CIMON_SECRET \
--subjects "dist/artifact1 dist/artifact2" --key private-key.pem
after_script: |
# Print Provenance
cat provenance.intoto.jsonl
# Print Signed Provenance
cat provenance.intoto.jsonl.sig
Explanation:
# Download Cimon
curl -sSfL https://cimon-releases.s3.amazonaws.com/install.sh | sh
Installing Cimon tooling. More info for installation options can be found in CLI integration page.
# Build Artifacts
mkdir dist
echo artifact1 > dist/artifact1
echo artifact2 > dist/artifact2
Creating artifacts. This is build-specific, and we just used stub artifacts for the process demonstration.
# Generate Sign Key
openssl genrsa -out private-key.pem 3072
Creating a signature key. This is build-specific, and we just used a stub key for the process demonstration.
# Cimon Attest
./bin/cimon attest generate-and-sign \
--client-id $CIMON_CLIENT_ID --secret $CIMON_SECRET \
--subjects "dist/artifact1 dist/artifact2" --key private-key.pem
Attesting the artifacts given through input variables. These can be configured through the CLI parameters.
# Print Provenance
cat provenance.intoto.jsonl
# Print Signed Provenance
cat provenance.intoto.jsonl.sig
Printing the attestation according to the default paths. These can be configured through the CLI parameters.
keyless_signing:
id_tokens:
SIGSTORE_ID_TOKEN:
aud: sigstore
before_script: |
# Download Cimon
curl -sSfL https://cimon-releases.s3.amazonaws.com/install.sh | sh
script: |
# Build Artifacts
mkdir dist
echo artifact1 > dist/artifact1
echo artifact2 > dist/artifact2
# Cimon Attest
./bin/cimon attest generate-and-sign \
--client-id $CIMON_CLIENT_ID --secret $CIMON_SECRET \
--subjects "dist/artifact1 dist/artifact2" \
--keyless \
--allow-tlog=true
after_script: |
# Print Provenance
cat provenance.intoto.jsonl
# Print Signed Provenance
cat provenance.intoto.jsonl.sig
Explanation:
keyless_signing:
id_tokens:
SIGSTORE_ID_TOKEN:
aud: sigstore
By specifying id_tokens in GitLab CI, an OIDC token is generated, and it is accessible as an environment variable named SIGSTORE_ID_TOKEN.
# Download Cimon
curl -sSfL https://cimon-releases.s3.amazonaws.com/install.sh | sh
Installing Cimon tooling. More info for installation options can be found in CLI integration page.
# Build Artifacts
mkdir dist
echo artifact1 > dist/artifact1
echo artifact2 > dist/artifact2
Creating artifacts. This is build-specific, and we just used stub artifacts for the process demonstration.
# Cimon Attest
./bin/cimon attest generate-and-sign \
--client-id $CIMON_CLIENT_ID --secret $CIMON_SECRET \
--subjects "dist/artifact1 dist/artifact2" \
--keyless \
--allow-tlog=true
Attesting the artifacts given through input variables. These can be configured through the CLI parameters.
In --keyless mode, Cimon utilizes keyless signing through Sigstore, leveraging the Fulcio certificate authority and Rekor transparency log to sign attestations without using cryptographic keys. By default, keyless mode is false, meaning Cimon does not use keyless signing unless explicitly enabled.
Similarly, --allow-tlog controls whether Cimon creates a transparency log (TLog) entry in Rekor. By default, --allow-tlog is set to true (requires --keyless to also be set to true) enabling the creation of TLog entries.
# Print Provenance
cat provenance.intoto.jsonl
# Print Signed Provenance
cat provenance.intoto.jsonl.sig
Printing the attestation according to the default paths. These can be configured through the CLI parameters.
Usage
The supported parameters that could be supplied to Cimon are explained in the CLI integration.