From f2f675b0e64fada5487de4fd5b606737a4598ee7 Mon Sep 17 00:00:00 2001 From: Paul Savoie Date: Thu, 20 Nov 2025 11:43:01 +0100 Subject: [PATCH 01/12] adds initial gitlab documentation --- docs/_data/menus/documentation.yml | 3 + docs/_data/tables/trusted-build-systems.yml | 153 +++++++++++++++++++- docs/trusted-build-systems/gitlab.md | 124 ++++++++++++++++ 3 files changed, 279 insertions(+), 1 deletion(-) create mode 100644 docs/trusted-build-systems/gitlab.md diff --git a/docs/_data/menus/documentation.yml b/docs/_data/menus/documentation.yml index cee5d16..33e536f 100644 --- a/docs/_data/menus/documentation.yml +++ b/docs/_data/menus/documentation.yml @@ -45,6 +45,9 @@ - text: GitHub path: github + - text: GitLab + path: gitlab + - text: Azure DevOps path: azure-devops diff --git a/docs/_data/tables/trusted-build-systems.yml b/docs/_data/tables/trusted-build-systems.yml index bdcf323..c3bad34 100644 --- a/docs/_data/tables/trusted-build-systems.yml +++ b/docs/_data/tables/trusted-build-systems.yml @@ -116,4 +116,155 @@ github-extended-policies-branch-ruleset-rules: * `min_alerts_threshold`: one of `none`, `errors` or `warnings` * `min_security_alerts_threshold`: one of `none`, `critical`, `high`, `medium` or `all` - +gitlab-parameters: + headers: + required: + component: Component input + cli: Command line argument + env: Environment variable + default: Default value + description: Description + body: + - component: | + `stage` + cli: | + – + env: | + – + default: | + `sign` + description: The GitLab pipeline stage at which the component should be executed. + - component: | + `job_name` + cli: | + – + env: | + – + default: | + `submit_signing_request (TODO)` + description: The name of the given signing job. + - component: | + `connector_url` + cli: | + `--connector-url` + env: | + `SIGNPATH_CONNECTOR_URL` + default: | + `https://gitlab.connectors.signpath.io` + description: The URL of the SignPath connector. Required if self-managed. + - required: | + `*` + component: | + `api_token_env_name` + cli: | + `--api-token` + env: | + `SIGNPATH_API_TOKEN` + description: | + The _Api Token_ for a user with submitter permissions in the specified project/signing policy. + The component only allows providing the token via an environment variable. The name of the environment variable can be overwritten using the `api_token_env_name` parameter. + - required: | + `*` + component: | + `gitlab_access_token_env_name` + cli: | + `--gitlab-access-token` + env: | + `SIGNPATH_GITLAB_ACCESS_TOKEN` + description: | + The _GitLab Access Token_ that can be used to retrieve [origin metadata](/documentation/origin-verification) from the GitLab instance. + The component only allows providing the token via an environment variable. The name of the environment variable can be overwritten using the `gitlab_access_token_env_name` parameter. + - required: | + `*` + component: | + `organization_id` + cli: | + `--organization-id` + env: | + `SIGNPATH_ORGANIZATION_ID` + description: The SignPath organization ID. + - required: | + `*` + component: | + `project_slug` + cli: | + `--project-slug` + env: | + `SIGNPATH_PROJECT_SLUG` + description: The SignPath project slug. + - required: | + `*` + component: | + `signing_policy_slug` + cli: | + `--signing-policy-slug` + env: | + `SIGNPATH_SIGNING_POLICY_SLUG` + description: The SignPath signing policy slug. + - component: | + `artifact_configuration_slug` + cli: | + `--artifact-configuration-slug` + env: | + `SIGNPATH_ARTIFACT_CONFIGURATION_SLUG` + description: The SignPath artifact configuration slug. + - required: | + `*` + component: | + `artifacts_job_name` + cli: | + `--artifacts-job-name` + env: | + `SIGNPATH_ARTIFACTS_JOB_NAME` + description: The name of the job that published the artifacts that will be signed. + - component: | + `wait_for_completion` + cli: | + `--wait-for-completion` + env: | + `SIGNPATH_WAIT_FOR_COMPLETION` + default: | + `true` + description: Wait for the signing request to complete. + - component: | + – + cli: | + `--output-artifact-directory` + env: | + `SIGNPATH_OUTPUT_ARTIFACT_DIRECTORY` + description: Path where the signed artifact will be extracted. The component always publishes the signed artifact when `wait_for_completion` is set to `true`. + - component: | + `parameters` + cli: | + `--parameters` + env: | + `SIGNPATH_PARAMETERS` + description: | + Parameters that map to [user-defined parameters] in the Artifact Configuration. TODO: format!!! + - component: | + `wait_for_completion_timeout_in_seconds` + cli: | + `--wait-for-completion-timeout-in-seconds` + env: | + `SIGNPATH_WAIT_FOR_COMPLETION_TIMEOUT_IN_SECONDS` + default: | + `600` + description: Maximum time in seconds that the job/tool will wait for the signing request to complete. + - component: | + `service_unavailable_timeout_in_seconds` + cli: | + `--service-unavailable-timeout-in-seconds` + env: | + `SIGNPATH_SERVICE_UNAVAILABLE_TIMEOUT_IN_SECONDS` + default: | + `600` + description: Total time in seconds that the job/tool will wait for a single service call to succeed (across several retries). + - component: | + `download_signed_artifact_timeout_in_seconds` + cli: | + `--download-signed-artifact-timeout-in-seconds` + env: | + `SIGNPATH_DOWNLOAD_SIGNED_ARTIFACT_TIMEOUT_IN_SECONDS` + default: | + `300` + description: HTTP timeout when downloading the signed artifact. diff --git a/docs/trusted-build-systems/gitlab.md b/docs/trusted-build-systems/gitlab.md new file mode 100644 index 0000000..2409b79 --- /dev/null +++ b/docs/trusted-build-systems/gitlab.md @@ -0,0 +1,124 @@ +--- +header: GitLab +layout: resources +toc: true +show_toc: 3 +description: GitLab +--- + +## Prerequisites + +* Use the predefined Trusted Build System _GitLab.com_ (see [configuration](/documentation/trusted-build-systems#configuration)) + * add it to the Organization + * link it to each SignPath Project for GitLab +* Specify `` as root element of your [Artifact Configurations](/documentation/artifact-configuration) (GitLab packages all artifacts as ZIP archives) + +{:.panel.info} +> **Self-managed installations** +> +> SignPath hosts an instance of the GitLab connector which is linked to GitLab.com For integrating self-managed GitLab instances, contact our [support](/support) team. + +## Checks performed by SignPath + +The GitLab connector performs the following checks: + +* The artifact was built by a GitLab Pipeline, not by some other entity in possession of the API token +* [Origin metadata](/documentation/origin-verification) is provided by GitLab, not the build script, and can therefore not be forged +* The artifact is stored as a GitLab pipeline artifact before it is submitted for signing + +## Usage + +There are two ways to integrate SignPath into your GitLab Pipeline: + +* If your GitLab instance has at least one runner with a _Docker Executor_ (like GitLab.com), we recommend using the _SignPath component_ +* If your self-managed GitLab instance does not support runners with _Docker Executors_, you can still download and call our command-line tool manually + +### SignPath component + +We provide a `submit-signing-request` component that can be integrated into a GitLab Pipeline: + +{% raw %} +```yaml +include: + - component: gitlab.com/signpath/components/submit-signing-request@0.1 + inputs: + stage: build + job_name: sign_my_component_a + api_token_env_name: SIGNPATH_MY_COMPONENT_A_API_TOKEN + gitlab_access_token_env_name: SIGNPATH_GITLAB_ACCESS_TOKEN + organization_id: f437cdbb-2ec0-4958-9a85-c2c0cd5dfa1a + project_slug: MyComponentA + signing_policy_slug: release-signing + artifacts_job_name: build_job # TODO: needs to be entered in dependencies + wait_for_completion: true # TODO: automatically publishes the artifact? + +build_job: + stage: build + script: + - echo "Building some software..." + artifacts: + - output/my-executable +``` +{% endraw %} + +All values can also be provided via environment variables. See the [parameter list](#supported-parameters) for a complete list of all supported inputs. + +### `signpath-gitlab` CLI tool + +For all organizations that don'T support _Docker Executors_, the `signpath-gitlab` CLI tool can be directly invoked: + +{% raw %} +```yaml +stages: + - build + - sign + +build_job: + stage: build + script: + - echo "Building some software..." + artifacts: + - output/my-executable + +sign_job: + stage: sign + script: + # TODO: signature validation??? + # TODO: add a log verbose mode? + - curl -o signpath-gitlab -L https://download.signpath.io/ci-integrations/gitlab/0.1/linux/x64/signpath-gitlab + - | + ./signpath-gitlab submit-signing-request \ + --api-token $SIGNPATH_API_TOKEN \ + --gitlab-access-token $SIGNPATH_GITLAB_ACCESS_TOEKN \ + --organization-id $SIGNPATH_ORGANIZATION_ID \ + --project-slug MyProject \ + --signing-policy-slug release-signing \ + --artifacts-job-name build_job \ + --wait-for-completion true \ + --output-artifact-directory signed-output \ + artifacts: + - signed-output +``` +{% endraw %} + +All values can also be provided via environment variables. See the [parameter list](#supported-parameters) for a complete list of all supported parameters. + +### Supported parameters + +TODO: table is too wide + +{%- include render-table.html table=site.data.tables.trusted-build-systems.gitlab-parameters -%} + +[user-defined parameters]: /documentation/artifact-configuration/syntax#parameters + +### Environment variables for subsequent jobs + +*TODO: should we support that?* + +The action supports the following output parameters: +- `signing-request-id`: The id of the newly created signing request +- `signing-request-web-url`: The url of the signing request in SignPath +- `signpath-api-url`: The base API url of the SignPath API +- `signed-artifact-download-url`: The url of the signed artifact in SignPath + +TODO: the term _Pipeline Integrity_ is already used by GitLab: https://docs.gitlab.com/ci/pipeline_security/#pipeline-integrity \ No newline at end of file From 2182aa36d0cce578154427d382aa69719f453119 Mon Sep 17 00:00:00 2001 From: Paul Savoie Date: Thu, 20 Nov 2025 14:34:51 +0100 Subject: [PATCH 02/12] minor change --- docs/trusted-build-systems/gitlab.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/docs/trusted-build-systems/gitlab.md b/docs/trusted-build-systems/gitlab.md index 2409b79..2755da2 100644 --- a/docs/trusted-build-systems/gitlab.md +++ b/docs/trusted-build-systems/gitlab.md @@ -11,7 +11,6 @@ description: GitLab * Use the predefined Trusted Build System _GitLab.com_ (see [configuration](/documentation/trusted-build-systems#configuration)) * add it to the Organization * link it to each SignPath Project for GitLab -* Specify `` as root element of your [Artifact Configurations](/documentation/artifact-configuration) (GitLab packages all artifacts as ZIP archives) {:.panel.info} > **Self-managed installations** @@ -121,4 +120,4 @@ The action supports the following output parameters: - `signpath-api-url`: The base API url of the SignPath API - `signed-artifact-download-url`: The url of the signed artifact in SignPath -TODO: the term _Pipeline Integrity_ is already used by GitLab: https://docs.gitlab.com/ci/pipeline_security/#pipeline-integrity \ No newline at end of file +TODO: the term _Pipeline Integrity_ is already used by GitLab: https://docs.gitlab.com/ci/pipeline_security/#pipeline-integrity From e77142586b46fb2180dadd741f1f945d53e26710 Mon Sep 17 00:00:00 2001 From: Paul Savoie Date: Mon, 24 Nov 2025 17:17:52 +0100 Subject: [PATCH 03/12] further details for GitLab (not yet done) --- docs/_data/tables/trusted-build-systems.yml | 197 +++++++++----------- docs/trusted-build-systems/gitlab.md | 45 +++-- 2 files changed, 119 insertions(+), 123 deletions(-) diff --git a/docs/_data/tables/trusted-build-systems.yml b/docs/_data/tables/trusted-build-systems.yml index c3bad34..a4e7209 100644 --- a/docs/_data/tables/trusted-build-systems.yml +++ b/docs/_data/tables/trusted-build-systems.yml @@ -116,155 +116,144 @@ github-extended-policies-branch-ruleset-rules: * `min_alerts_threshold`: one of `none`, `errors` or `warnings` * `min_security_alerts_threshold`: one of `none`, `critical`, `high`, `medium` or `all` +# Note: The spaces at the end are intentional for new lines in markdown gitlab-parameters: headers: - required: - component: Component input - cli: Command line argument - env: Environment variable + required: + input: Input default: Default value description: Description body: - - component: | - `stage` - cli: | - – - env: | - – + - input: | + `stage` + (Component input only) default: | `sign` description: The GitLab pipeline stage at which the component should be executed. - - component: | - `job_name` - cli: | - – - env: | - – + - input: | + `job_name` + (Component input only) default: | `submit_signing_request (TODO)` description: The name of the given signing job. - - component: | - `connector_url` - cli: | - `--connector-url` - env: | - `SIGNPATH_CONNECTOR_URL` + - input: | + `connector_url` (Component) + `SIGNPATH_CONNECTOR_URL` (Environment variable) + `--connector-url` (CLI tool) default: | `https://gitlab.connectors.signpath.io` description: The URL of the SignPath connector. Required if self-managed. - required: | `*` - component: | - `api_token_env_name` - cli: | - `--api-token` - env: | - `SIGNPATH_API_TOKEN` + input: | + `api_token_var_name` (Component) + `SIGNPATH_API_TOKEN` (Environment variable) + `--api-token` (CLI tool) description: | The _Api Token_ for a user with submitter permissions in the specified project/signing policy. The component only allows providing the token via an environment variable. The name of the environment variable can be overwritten using the `api_token_env_name` parameter. - required: | `*` - component: | - `gitlab_access_token_env_name` - cli: | - `--gitlab-access-token` - env: | - `SIGNPATH_GITLAB_ACCESS_TOKEN` + input: | + `gitlab_access_token_var_name` (Component) + `SIGNPATH_GITLAB_ACCESS_TOKEN` (Environment variable) + `--gitlab-access-token` (CLI tool) description: | The _GitLab Access Token_ that can be used to retrieve [origin metadata](/documentation/origin-verification) from the GitLab instance. The component only allows providing the token via an environment variable. The name of the environment variable can be overwritten using the `gitlab_access_token_env_name` parameter. - required: | `*` - component: | - `organization_id` - cli: | - `--organization-id` - env: | - `SIGNPATH_ORGANIZATION_ID` + input: | + `organization_id` (Component) + `SIGNPATH_ORGANIZATION_ID` (Environment variable) + `--organization-id` (CLI tool) description: The SignPath organization ID. - required: | `*` - component: | - `project_slug` - cli: | - `--project-slug` - env: | - `SIGNPATH_PROJECT_SLUG` + input: | + `project_slug` (Component) + `SIGNPATH_PROJECT_SLUG` (Environment variable) + `--project-slug` (CLI tool) description: The SignPath project slug. - required: | `*` - component: | - `signing_policy_slug` - cli: | - `--signing-policy-slug` - env: | - `SIGNPATH_SIGNING_POLICY_SLUG` + input: | + `signing_policy_slug` (Component) + `SIGNPATH_SIGNING_POLICY_SLUG` (Environment variable) + `--signing-policy-slug` (CLI tool) description: The SignPath signing policy slug. - - component: | - `artifact_configuration_slug` - cli: | - `--artifact-configuration-slug` - env: | - `SIGNPATH_ARTIFACT_CONFIGURATION_SLUG` + - input: | + `artifact_configuration_slug` (Component) + `SIGNPATH_ARTIFACT_CONFIGURATION_SLUG` (Environment variable) + `--artifact-configuration-slug` (CLI tool) description: The SignPath artifact configuration slug. - required: | `*` - component: | - `artifacts_job_name` - cli: | - `--artifacts-job-name` - env: | - `SIGNPATH_ARTIFACTS_JOB_NAME` - description: The name of the job that published the artifacts that will be signed. - - component: | - `wait_for_completion` - cli: | - `--wait-for-completion` - env: | - `SIGNPATH_WAIT_FOR_COMPLETION` + input: | + `gitlab_artifact_job_name` (Component) + `SIGNPATH_GITLAB_ARTIFACT_JOB_NAME` (Environment variable) + `--gitlab-artifact-job-name` (CLI tool) + description: The name of the job that published the artifact to be signed. + - required: | + `*` + input: | + `gitlab_artifact_path` (Component) + `SIGNPATH_GITLAB_ARTIFACT_PATH` (Environment variable) + `--gitlab-artifact-path` (CLI tool) + description: The path within the GitLab artifact. + - required: | + `*` + input: | + `output_artifact_path` (Component) + `SIGNPATH_OUTPUT_ARTIFACT_PATH` (Environment variable) + `--output-artifact-path` (CLI tool) + description: Path to where the signed artifact will be stored. + - input: | + `wait_for_completion` (Component) + `SIGNPATH_WAIT_FOR_COMPLETION` (Environment variable) + `--wait-for-completion` (CLI tool) default: | `true` - description: Wait for the signing request to complete. - - component: | - – - cli: | - `--output-artifact-directory` - env: | - `SIGNPATH_OUTPUT_ARTIFACT_DIRECTORY` - description: Path where the signed artifact will be extracted. The component always publishes the signed artifact when `wait_for_completion` is set to `true`. - - component: | - `parameters` - cli: | - `--parameters` - env: | - `SIGNPATH_PARAMETERS` + description: Wait for the signing request to complete. If set to true, the signed artifact will be published. + - input: | + (CLI tool only) + `SIGNPATH_OUTPUT_ARTIFACT_DIRECTORY` (Environment variable) or + `--output-artifact-path` + description: Path to where the signed artifact will be stored. The component always publishes the signed artifact when `wait_for_completion` is set to `true`. + - input: | + `parameters` (Component) + `SIGNPATH_PARAMETERS` (Environment variable) + `--parameters` (CLI tool) description: | - Parameters that map to [user-defined parameters] in the Artifact Configuration. TODO: format!!! - - component: | - `wait_for_completion_timeout_in_seconds` - cli: | - `--wait-for-completion-timeout-in-seconds` - env: | - `SIGNPATH_WAIT_FOR_COMPLETION_TIMEOUT_IN_SECONDS` + Json-formatted parameters that map to [user-defined parameters] in the Artifact Configuration. + - input: | + (CLI tool only) + `SIGNPATH_DOTENV_OUTPUT_PATH` (Environment variable) + `--dotenv-output-path` (CLI tool) + description: Path to a .env file where output variables will be stored. + - input: | + (CLI tool only) + `SIGNPATH_DOTENV_OUTPUT_PREFIX` (Environment variable) + `--dotenv-output-prefix` (CLI tool) + description: The prefix used for the variables in the dotenv output file. + - input: | + `wait_for_completion_timeout_in_seconds` (Component) + `SIGNPATH_WAIT_FOR_COMPLETION_TIMEOUT_IN_SECONDS` (Environment variable) + `--wait-for-completion-timeout-in-seconds` (CLI tool) default: | `600` description: Maximum time in seconds that the job/tool will wait for the signing request to complete. - - component: | - `service_unavailable_timeout_in_seconds` - cli: | - `--service-unavailable-timeout-in-seconds` - env: | - `SIGNPATH_SERVICE_UNAVAILABLE_TIMEOUT_IN_SECONDS` + - input: | + `service_unavailable_timeout_in_seconds` (Component) + `SIGNPATH_SERVICE_UNAVAILABLE_TIMEOUT_IN_SECONDS` (Environment variable) + `--service-unavailable-timeout-in-seconds` (CLI tool) default: | `600` description: Total time in seconds that the job/tool will wait for a single service call to succeed (across several retries). - - component: | - `download_signed_artifact_timeout_in_seconds` - cli: | - `--download-signed-artifact-timeout-in-seconds` - env: | - `SIGNPATH_DOWNLOAD_SIGNED_ARTIFACT_TIMEOUT_IN_SECONDS` + - input: | + `download_signed_artifact_timeout_in_seconds` (Component) + `SIGNPATH_DOWNLOAD_SIGNED_ARTIFACT_TIMEOUT_IN_SECONDS` (Environment variable) + `--download-signed-artifact-timeout-in-seconds` (CLI tool) default: | `300` description: HTTP timeout when downloading the signed artifact. diff --git a/docs/trusted-build-systems/gitlab.md b/docs/trusted-build-systems/gitlab.md index 2409b79..81898c4 100644 --- a/docs/trusted-build-systems/gitlab.md +++ b/docs/trusted-build-systems/gitlab.md @@ -42,15 +42,18 @@ We provide a `submit-signing-request` component that can be integrated into a Gi include: - component: gitlab.com/signpath/components/submit-signing-request@0.1 inputs: - stage: build + stage: sign job_name: sign_my_component_a - api_token_env_name: SIGNPATH_MY_COMPONENT_A_API_TOKEN - gitlab_access_token_env_name: SIGNPATH_GITLAB_ACCESS_TOKEN + api_token_var_name: SIGNPATH_MY_COMPONENT_A_API_TOKEN + gitlab_access_token_var_name: SIGNPATH_GITLAB_ACCESS_TOKEN organization_id: f437cdbb-2ec0-4958-9a85-c2c0cd5dfa1a project_slug: MyComponentA signing_policy_slug: release-signing - artifacts_job_name: build_job # TODO: needs to be entered in dependencies - wait_for_completion: true # TODO: automatically publishes the artifact? + gitlab_artifact_job_name: build_job + gitlab_artifact_path: output/my-executable + wait_for_completion: true + parameters: + - myparam: myvalue build_job: stage: build @@ -65,7 +68,7 @@ All values can also be provided via environment variables. See the [parameter li ### `signpath-gitlab` CLI tool -For all organizations that don'T support _Docker Executors_, the `signpath-gitlab` CLI tool can be directly invoked: +For all organizations that don't support _Docker Executors_, the `signpath-gitlab` CLI tool can be directly invoked: {% raw %} ```yaml @@ -83,19 +86,19 @@ build_job: sign_job: stage: sign script: - # TODO: signature validation??? - # TODO: add a log verbose mode? - curl -o signpath-gitlab -L https://download.signpath.io/ci-integrations/gitlab/0.1/linux/x64/signpath-gitlab - | ./signpath-gitlab submit-signing-request \ --api-token $SIGNPATH_API_TOKEN \ - --gitlab-access-token $SIGNPATH_GITLAB_ACCESS_TOEKN \ + --gitlab-access-token $SIGNPATH_GITLAB_ACCESS_TOKEN \ --organization-id $SIGNPATH_ORGANIZATION_ID \ --project-slug MyProject \ --signing-policy-slug release-signing \ - --artifacts-job-name build_job \ + --gitlab-artifact-job-name build_job \ + --gitlab_artifact_path: output/app.exe \ --wait-for-completion true \ - --output-artifact-directory signed-output \ + --output-artifact-path signed-output \ + --parameters '{ "myparam": "myvalue" }' artifacts: - signed-output ``` @@ -105,7 +108,10 @@ All values can also be provided via environment variables. See the [parameter l ### Supported parameters -TODO: table is too wide +The parameters can be passed to the + +* component via _inputs_ or _environment variables_ +* CLI tool via _arguments_ or _environment variables_ {%- include render-table.html table=site.data.tables.trusted-build-systems.gitlab-parameters -%} @@ -113,12 +119,13 @@ TODO: table is too wide ### Environment variables for subsequent jobs -*TODO: should we support that?* +The component invocation will publish a dotenv report and make the following environment variables available in subsequent jobs: + +* `${PREFIX}_SIGNPATH_SIGNING_REQUEST_ID`: The id of the newly created signing request. +* `${PREFIX}_SIGNPATH_SIGNING_REQUEST_WEB_URL`: The url of the signing request in SignPath. +* `${PREFIX}_SIGNPATH_SIGNED_ARTIFACT_DOWNLOAD_URL`: The url where the signed artifact can be downloaded. -The action supports the following output parameters: -- `signing-request-id`: The id of the newly created signing request -- `signing-request-web-url`: The url of the signing request in SignPath -- `signpath-api-url`: The base API url of the SignPath API -- `signed-artifact-download-url`: The url of the signed artifact in SignPath +`${PREFIX}` defaults to the capitalized name of the signing job in GitLab (`SIGN` by default). -TODO: the term _Pipeline Integrity_ is already used by GitLab: https://docs.gitlab.com/ci/pipeline_security/#pipeline-integrity \ No newline at end of file +TODO: the term _Pipeline Integrity_ is already used by GitLab: https://docs.gitlab.com/ci/pipeline_security/#pipeline-integrity +TODO: Update SLSA page also \ No newline at end of file From 89faf09ec65a28408ec327150d7a369fab28a8a3 Mon Sep 17 00:00:00 2001 From: Paul Savoie Date: Thu, 27 Nov 2025 15:14:30 +0100 Subject: [PATCH 04/12] simplifies GitLab and only includes the component --- docs/_data/tables/trusted-build-systems.yml | 133 ++++++-------------- docs/trusted-build-systems/gitlab.md | 61 ++------- 2 files changed, 46 insertions(+), 148 deletions(-) diff --git a/docs/_data/tables/trusted-build-systems.yml b/docs/_data/tables/trusted-build-systems.yml index a4e7209..319a589 100644 --- a/docs/_data/tables/trusted-build-systems.yml +++ b/docs/_data/tables/trusted-build-systems.yml @@ -119,141 +119,86 @@ github-extended-policies-branch-ruleset-rules: # Note: The spaces at the end are intentional for new lines in markdown gitlab-parameters: headers: - required: input: Input default: Default value description: Description body: - input: | - `stage` - (Component input only) + `stage` default: | `sign` description: The GitLab pipeline stage at which the component should be executed. - input: | - `job_name` - (Component input only) + `job_name` default: | - `submit_signing_request (TODO)` + `submit-signing-request` description: The name of the given signing job. - input: | - `connector_url` (Component) - `SIGNPATH_CONNECTOR_URL` (Environment variable) - `--connector-url` (CLI tool) + `connector_url` default: | `https://gitlab.connectors.signpath.io` description: The URL of the SignPath connector. Required if self-managed. - - required: | - `*` - input: | - `api_token_var_name` (Component) - `SIGNPATH_API_TOKEN` (Environment variable) - `--api-token` (CLI tool) + - input: | + `api_token_var_name` + default: | + `SIGNPATH_API_TOKEN` description: | The _Api Token_ for a user with submitter permissions in the specified project/signing policy. - The component only allows providing the token via an environment variable. The name of the environment variable can be overwritten using the `api_token_env_name` parameter. - - required: | - `*` - input: | - `gitlab_access_token_var_name` (Component) - `SIGNPATH_GITLAB_ACCESS_TOKEN` (Environment variable) - `--gitlab-access-token` (CLI tool) + The component only allows providing the token via an environment variable. The name of the environment variable can be overwritten using this input. + - input: | + `gitlab_access_token_var_name` + default: | + `SIGNPATH_GITLAB_ACCESS_TOKEN` description: | - The _GitLab Access Token_ that can be used to retrieve [origin metadata](/documentation/origin-verification) from the GitLab instance. - The component only allows providing the token via an environment variable. The name of the environment variable can be overwritten using the `gitlab_access_token_env_name` parameter. - - required: | - `*` - input: | - `organization_id` (Component) - `SIGNPATH_ORGANIZATION_ID` (Environment variable) - `--organization-id` (CLI tool) + The _GitLab Access Token_ that can be used to retrieve [origin metadata](/documentation/origin-verification) from the GitLab instance. Requires the `read_api` scope. + The component only allows providing the token via an environment variable. The name of the environment variable can be overwritten using this input. + - input: | + `organization_id` + default: (mandatory) description: The SignPath organization ID. - - required: | - `*` - input: | - `project_slug` (Component) - `SIGNPATH_PROJECT_SLUG` (Environment variable) - `--project-slug` (CLI tool) + - input: | + `project_slug` + default: (mandatory) description: The SignPath project slug. - - required: | - `*` - input: | - `signing_policy_slug` (Component) - `SIGNPATH_SIGNING_POLICY_SLUG` (Environment variable) - `--signing-policy-slug` (CLI tool) + - input: | + `signing_policy_slug` + default: (mandatory) description: The SignPath signing policy slug. - input: | - `artifact_configuration_slug` (Component) - `SIGNPATH_ARTIFACT_CONFIGURATION_SLUG` (Environment variable) - `--artifact-configuration-slug` (CLI tool) + `artifact_configuration_slug` description: The SignPath artifact configuration slug. - - required: | - `*` - input: | - `gitlab_artifact_job_name` (Component) - `SIGNPATH_GITLAB_ARTIFACT_JOB_NAME` (Environment variable) - `--gitlab-artifact-job-name` (CLI tool) + - input: | + `gitlab_artifact_job_name` + default: (mandatory) description: The name of the job that published the artifact to be signed. - - required: | - `*` - input: | - `gitlab_artifact_path` (Component) - `SIGNPATH_GITLAB_ARTIFACT_PATH` (Environment variable) - `--gitlab-artifact-path` (CLI tool) + - input: | + `gitlab_artifact_path` + default: (mandatory) description: The path within the GitLab artifact. - - required: | - `*` - input: | - `output_artifact_path` (Component) - `SIGNPATH_OUTPUT_ARTIFACT_PATH` (Environment variable) - `--output-artifact-path` (CLI tool) + - input: | + `output_artifact_path` description: Path to where the signed artifact will be stored. - input: | - `wait_for_completion` (Component) - `SIGNPATH_WAIT_FOR_COMPLETION` (Environment variable) - `--wait-for-completion` (CLI tool) + `wait_for_completion` default: | `true` description: Wait for the signing request to complete. If set to true, the signed artifact will be published. - input: | - (CLI tool only) - `SIGNPATH_OUTPUT_ARTIFACT_DIRECTORY` (Environment variable) or - `--output-artifact-path` - description: Path to where the signed artifact will be stored. The component always publishes the signed artifact when `wait_for_completion` is set to `true`. - - input: | - `parameters` (Component) - `SIGNPATH_PARAMETERS` (Environment variable) - `--parameters` (CLI tool) + `parameters` description: | - Json-formatted parameters that map to [user-defined parameters] in the Artifact Configuration. - - input: | - (CLI tool only) - `SIGNPATH_DOTENV_OUTPUT_PATH` (Environment variable) - `--dotenv-output-path` (CLI tool) - description: Path to a .env file where output variables will be stored. - - input: | - (CLI tool only) - `SIGNPATH_DOTENV_OUTPUT_PREFIX` (Environment variable) - `--dotenv-output-prefix` (CLI tool) - description: The prefix used for the variables in the dotenv output file. + List of key/value pairs that map to [user-defined parameters](/artifact-configuration/syntax#parameters) in the Artifact Configuration. - input: | - `wait_for_completion_timeout_in_seconds` (Component) - `SIGNPATH_WAIT_FOR_COMPLETION_TIMEOUT_IN_SECONDS` (Environment variable) - `--wait-for-completion-timeout-in-seconds` (CLI tool) + `wait_for_completion_timeout_in_seconds` default: | `600` description: Maximum time in seconds that the job/tool will wait for the signing request to complete. - input: | - `service_unavailable_timeout_in_seconds` (Component) - `SIGNPATH_SERVICE_UNAVAILABLE_TIMEOUT_IN_SECONDS` (Environment variable) - `--service-unavailable-timeout-in-seconds` (CLI tool) + `service_unavailable_timeout_in_seconds` default: | `600` description: Total time in seconds that the job/tool will wait for a single service call to succeed (across several retries). - input: | - `download_signed_artifact_timeout_in_seconds` (Component) - `SIGNPATH_DOWNLOAD_SIGNED_ARTIFACT_TIMEOUT_IN_SECONDS` (Environment variable) - `--download-signed-artifact-timeout-in-seconds` (CLI tool) + `download_signed_artifact_timeout_in_seconds` default: | `300` description: HTTP timeout when downloading the signed artifact. diff --git a/docs/trusted-build-systems/gitlab.md b/docs/trusted-build-systems/gitlab.md index 169045f..3e15b21 100644 --- a/docs/trusted-build-systems/gitlab.md +++ b/docs/trusted-build-systems/gitlab.md @@ -15,7 +15,7 @@ description: GitLab {:.panel.info} > **Self-managed installations** > -> SignPath hosts an instance of the GitLab connector which is linked to GitLab.com For integrating self-managed GitLab instances, contact our [support](/support) team. +> SignPath hosts an instance of the GitLab connector which is linked to GitLab.com For integrating self-managed GitLab instances, contact our [support](https://signpath.io/support) team. ## Checks performed by SignPath @@ -27,19 +27,12 @@ The GitLab connector performs the following checks: ## Usage -There are two ways to integrate SignPath into your GitLab Pipeline: - -* If your GitLab instance has at least one runner with a _Docker Executor_ (like GitLab.com), we recommend using the _SignPath component_ -* If your self-managed GitLab instance does not support runners with _Docker Executors_, you can still download and call our command-line tool manually - -### SignPath component - We provide a `submit-signing-request` component that can be integrated into a GitLab Pipeline: {% raw %} ```yaml include: - - component: gitlab.com/signpath/components/submit-signing-request@0.1 + - component: gitlab.com/signpath-test-root/components/submit-signing-request@0.1 inputs: stage: sign job_name: sign_my_component_a @@ -51,6 +44,7 @@ include: gitlab_artifact_job_name: build_job gitlab_artifact_path: output/my-executable wait_for_completion: true + output_artifact_path: parameters: - myparam: myvalue @@ -65,58 +59,17 @@ build_job: All values can also be provided via environment variables. See the [parameter list](#supported-parameters) for a complete list of all supported inputs. -### `signpath-gitlab` CLI tool - -For all organizations that don't support _Docker Executors_, the `signpath-gitlab` CLI tool can be directly invoked: - -{% raw %} -```yaml -stages: - - build - - sign - -build_job: - stage: build - script: - - echo "Building some software..." - artifacts: - - output/my-executable - -sign_job: - stage: sign - script: - - curl -o signpath-gitlab -L https://download.signpath.io/ci-integrations/gitlab/0.1/linux/x64/signpath-gitlab - - | - ./signpath-gitlab submit-signing-request \ - --api-token $SIGNPATH_API_TOKEN \ - --gitlab-access-token $SIGNPATH_GITLAB_ACCESS_TOKEN \ - --organization-id $SIGNPATH_ORGANIZATION_ID \ - --project-slug MyProject \ - --signing-policy-slug release-signing \ - --gitlab-artifact-job-name build_job \ - --gitlab_artifact_path: output/app.exe \ - --wait-for-completion true \ - --output-artifact-path signed-output \ - --parameters '{ "myparam": "myvalue" }' - artifacts: - - signed-output -``` -{% endraw %} - -All values can also be provided via environment variables. See the [parameter list](#supported-parameters) for a complete list of all supported parameters. - -### Supported parameters +### Setups that don't include _Docker Executors_ -The parameters can be passed to the +For all organizations that don't support _Docker Executors_, we provide a CLI tool can be directly invoked. Please contact our [support team](https://signpath.io/support) for details. -* component via _inputs_ or _environment variables_ -* CLI tool via _arguments_ or _environment variables_ +## Supported parameters {%- include render-table.html table=site.data.tables.trusted-build-systems.gitlab-parameters -%} [user-defined parameters]: /documentation/artifact-configuration/syntax#parameters -### Environment variables for subsequent jobs +## Environment variables for subsequent jobs The component invocation will publish a dotenv report and make the following environment variables available in subsequent jobs: From aa2a2f79b79008040769a9f9bf9f99a4bfac678f Mon Sep 17 00:00:00 2001 From: Paul Savoie Date: Thu, 27 Nov 2025 17:13:50 +0100 Subject: [PATCH 05/12] finalizes gitlab documentation --- docs/trusted-build-systems/gitlab.md | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/docs/trusted-build-systems/gitlab.md b/docs/trusted-build-systems/gitlab.md index 3e15b21..a6d9dc7 100644 --- a/docs/trusted-build-systems/gitlab.md +++ b/docs/trusted-build-systems/gitlab.md @@ -32,7 +32,7 @@ We provide a `submit-signing-request` component that can be integrated into a Gi {% raw %} ```yaml include: - - component: gitlab.com/signpath-test-root/components/submit-signing-request@0.1 + - component: gitlab.com/signpath-test-root/components/submit-signing-request@0.1.0 inputs: stage: sign job_name: sign_my_component_a @@ -79,5 +79,3 @@ The component invocation will publish a dotenv report and make the following env `${PREFIX}` defaults to the capitalized name of the signing job in GitLab (`SIGN` by default). -TODO: the term _Pipeline Integrity_ is already used by GitLab: https://docs.gitlab.com/ci/pipeline_security/#pipeline-integrity -TODO: Update SLSA page also From ca7b6bdc44a14c3928c56b7bb5bd7d81ead44d96 Mon Sep 17 00:00:00 2001 From: Paul Savoie Date: Thu, 27 Nov 2025 17:20:22 +0100 Subject: [PATCH 06/12] adds changelog for GitLab --- docs/_data/changelog.yml | 12 ++++++++++++ docs/_data/changelog_definitions.yml | 6 ++++++ docs/changelog/feeds/gitlab_component.xml | 4 ++++ docs/changelog/feeds/gitlab_connector.xml | 4 ++++ 4 files changed, 26 insertions(+) create mode 100644 docs/changelog/feeds/gitlab_component.xml create mode 100644 docs/changelog/feeds/gitlab_connector.xml diff --git a/docs/_data/changelog.yml b/docs/_data/changelog.yml index 0d35744..f5ce21b 100644 --- a/docs/_data/changelog.yml +++ b/docs/_data/changelog.yml @@ -1,3 +1,15 @@ +- date: '2025-11-27' + updates: + gitlab_connector: + version: 0.1.0 + new_features: + - text: Initial release + issues: [] + gitlab_component: + version: 0.1.0 + new_features: + - text: Initial release + issues: [] - date: '2025-11-18' updates: application: diff --git a/docs/_data/changelog_definitions.yml b/docs/_data/changelog_definitions.yml index 937e302..e4d30f3 100644 --- a/docs/_data/changelog_definitions.yml +++ b/docs/_data/changelog_definitions.yml @@ -23,6 +23,12 @@ components: - id: github_actions_action label: 'GitHub Action' categories: [github, plugins] + - id: gitlab_connector + label: 'GitLab Connector' + categories: [gitlab, connectors] + - id: gitlab_component + label: 'GitLab Component' + categories: [gitlab, plugins] - id: jenkins_plugin label: 'Jenkins Plugin' categories: [jenkins, plugins] diff --git a/docs/changelog/feeds/gitlab_component.xml b/docs/changelog/feeds/gitlab_component.xml new file mode 100644 index 0000000..f92d659 --- /dev/null +++ b/docs/changelog/feeds/gitlab_component.xml @@ -0,0 +1,4 @@ +--- +layout: null +--- +{% include_relative changelog_feed.md category="gitlab_component" %} \ No newline at end of file diff --git a/docs/changelog/feeds/gitlab_connector.xml b/docs/changelog/feeds/gitlab_connector.xml new file mode 100644 index 0000000..67153da --- /dev/null +++ b/docs/changelog/feeds/gitlab_connector.xml @@ -0,0 +1,4 @@ +--- +layout: null +--- +{% include_relative changelog_feed.md category="gitlab_connector" %} \ No newline at end of file From 1c190684f168bd5dfaac8c195451426974d35785 Mon Sep 17 00:00:00 2001 From: Paul Savoie Date: Fri, 28 Nov 2025 08:44:51 +0100 Subject: [PATCH 07/12] move gitlab table directly into doc --- docs/_data/tables/trusted-build-systems.yml | 87 --------------------- docs/trusted-build-systems/gitlab.md | 20 ++++- 2 files changed, 19 insertions(+), 88 deletions(-) diff --git a/docs/_data/tables/trusted-build-systems.yml b/docs/_data/tables/trusted-build-systems.yml index 319a589..3c790ef 100644 --- a/docs/_data/tables/trusted-build-systems.yml +++ b/docs/_data/tables/trusted-build-systems.yml @@ -115,90 +115,3 @@ github-extended-policies-branch-ruleset-rules: * `tool`: The name of the code scanning tool, e.g. `CodeQL` * `min_alerts_threshold`: one of `none`, `errors` or `warnings` * `min_security_alerts_threshold`: one of `none`, `critical`, `high`, `medium` or `all` - -# Note: The spaces at the end are intentional for new lines in markdown -gitlab-parameters: - headers: - input: Input - default: Default value - description: Description - body: - - input: | - `stage` - default: | - `sign` - description: The GitLab pipeline stage at which the component should be executed. - - input: | - `job_name` - default: | - `submit-signing-request` - description: The name of the given signing job. - - input: | - `connector_url` - default: | - `https://gitlab.connectors.signpath.io` - description: The URL of the SignPath connector. Required if self-managed. - - input: | - `api_token_var_name` - default: | - `SIGNPATH_API_TOKEN` - description: | - The _Api Token_ for a user with submitter permissions in the specified project/signing policy. - The component only allows providing the token via an environment variable. The name of the environment variable can be overwritten using this input. - - input: | - `gitlab_access_token_var_name` - default: | - `SIGNPATH_GITLAB_ACCESS_TOKEN` - description: | - The _GitLab Access Token_ that can be used to retrieve [origin metadata](/documentation/origin-verification) from the GitLab instance. Requires the `read_api` scope. - The component only allows providing the token via an environment variable. The name of the environment variable can be overwritten using this input. - - input: | - `organization_id` - default: (mandatory) - description: The SignPath organization ID. - - input: | - `project_slug` - default: (mandatory) - description: The SignPath project slug. - - input: | - `signing_policy_slug` - default: (mandatory) - description: The SignPath signing policy slug. - - input: | - `artifact_configuration_slug` - description: The SignPath artifact configuration slug. - - input: | - `gitlab_artifact_job_name` - default: (mandatory) - description: The name of the job that published the artifact to be signed. - - input: | - `gitlab_artifact_path` - default: (mandatory) - description: The path within the GitLab artifact. - - input: | - `output_artifact_path` - description: Path to where the signed artifact will be stored. - - input: | - `wait_for_completion` - default: | - `true` - description: Wait for the signing request to complete. If set to true, the signed artifact will be published. - - input: | - `parameters` - description: | - List of key/value pairs that map to [user-defined parameters](/artifact-configuration/syntax#parameters) in the Artifact Configuration. - - input: | - `wait_for_completion_timeout_in_seconds` - default: | - `600` - description: Maximum time in seconds that the job/tool will wait for the signing request to complete. - - input: | - `service_unavailable_timeout_in_seconds` - default: | - `600` - description: Total time in seconds that the job/tool will wait for a single service call to succeed (across several retries). - - input: | - `download_signed_artifact_timeout_in_seconds` - default: | - `300` - description: HTTP timeout when downloading the signed artifact. diff --git a/docs/trusted-build-systems/gitlab.md b/docs/trusted-build-systems/gitlab.md index a6d9dc7..0c7a867 100644 --- a/docs/trusted-build-systems/gitlab.md +++ b/docs/trusted-build-systems/gitlab.md @@ -65,7 +65,25 @@ For all organizations that don't support _Docker Executors_, we provide a CLI to ## Supported parameters -{%- include render-table.html table=site.data.tables.trusted-build-systems.gitlab-parameters -%} +| Input | Default Value | Description +|-----------------------------------------------|-----------------------------------------|--------------------------- +| `stage` | `sign` | The GitLab pipeline stage at which the component should be executed. +| `job_name` | `submit-signing-request` | The name of the given signing job. +| `connector_url` | `https://gitlab.connectors.signpath.io` | The URL of the SignPath connector. Required if self-managed. +| `api_token_var_name` | `SIGNPATH_API_TOKEN` | The _Api Token_ for a user with submitter permissions in the specified project/signing policy. The component only allows providing the token via an environment variable. The name of the environment variable can be overwritten using this input. +| `gitlab_access_token_var_name` | `SIGNPATH_GITLAB_ACCESS_TOKEN` | The _GitLab Access Token_ that can be used to retrieve [origin metadata](/documentation/origin-verification) from the GitLab instance. Requires the `read_api` scope. The component only allows providing the token via an environment variable. The name of the environment variable can be overwritten using this input. +| `organization_id` | (mandatory) | The SignPath organization ID. +| `project_slug` | (mandatory) | The SignPath project slug. +| `signing_policy_slug` | (mandatory) | The SignPath signing policy slug. +| `artifact_configuration_slug` | | The SignPath artifact configuration slug. +| `gitlab_artifact_job_name` | (mandatory) | The name of the job that published the artifact to be signed. +| `gitlab_artifact_path` | (mandatory) | The path within the GitLab artifact. +| `output_artifact_path` | | Path to where the signed artifact will be stored. +| `wait_for_completion` | `true` | Wait for the signing request to complete. If set to true, the signed artifact will be published. +| `parameters` | | List of key/value pairs that map to [user-defined parameters](/artifact-configuration/syntax#parameters) in the Artifact Configuration. +| `wait_for_completion_timeout_in_seconds` | `600` | Maximum time in seconds that the job/tool will wait for the signing request to complete. +| `service_unavailable_timeout_in_seconds` | `600` | Total time in seconds that the job/tool will wait for a single service call to succeed (across several retries). +| `download_signed_artifact_timeout_in_seconds` | `300` | HTTP timeout when downloading the signed artifact. [user-defined parameters]: /documentation/artifact-configuration/syntax#parameters From 227cfda3d1465c250b14364ec866ee7614de0c48 Mon Sep 17 00:00:00 2001 From: Paul Savoie Date: Fri, 28 Nov 2025 08:46:34 +0100 Subject: [PATCH 08/12] remove {%raw%} from gitlab --- docs/trusted-build-systems/gitlab.md | 2 -- 1 file changed, 2 deletions(-) diff --git a/docs/trusted-build-systems/gitlab.md b/docs/trusted-build-systems/gitlab.md index 0c7a867..ce9fa15 100644 --- a/docs/trusted-build-systems/gitlab.md +++ b/docs/trusted-build-systems/gitlab.md @@ -29,7 +29,6 @@ The GitLab connector performs the following checks: We provide a `submit-signing-request` component that can be integrated into a GitLab Pipeline: -{% raw %} ```yaml include: - component: gitlab.com/signpath-test-root/components/submit-signing-request@0.1.0 @@ -55,7 +54,6 @@ build_job: artifacts: - output/my-executable ``` -{% endraw %} All values can also be provided via environment variables. See the [parameter list](#supported-parameters) for a complete list of all supported inputs. From 5b4655c8bf4671745aa2f2706c50ea463ebcbbcb Mon Sep 17 00:00:00 2001 From: Paul Savoie Date: Fri, 28 Nov 2025 08:49:09 +0100 Subject: [PATCH 09/12] improve text for GitLab --- docs/trusted-build-systems/gitlab.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/trusted-build-systems/gitlab.md b/docs/trusted-build-systems/gitlab.md index ce9fa15..6966e80 100644 --- a/docs/trusted-build-systems/gitlab.md +++ b/docs/trusted-build-systems/gitlab.md @@ -69,7 +69,7 @@ For all organizations that don't support _Docker Executors_, we provide a CLI to | `job_name` | `submit-signing-request` | The name of the given signing job. | `connector_url` | `https://gitlab.connectors.signpath.io` | The URL of the SignPath connector. Required if self-managed. | `api_token_var_name` | `SIGNPATH_API_TOKEN` | The _Api Token_ for a user with submitter permissions in the specified project/signing policy. The component only allows providing the token via an environment variable. The name of the environment variable can be overwritten using this input. -| `gitlab_access_token_var_name` | `SIGNPATH_GITLAB_ACCESS_TOKEN` | The _GitLab Access Token_ that can be used to retrieve [origin metadata](/documentation/origin-verification) from the GitLab instance. Requires the `read_api` scope. The component only allows providing the token via an environment variable. The name of the environment variable can be overwritten using this input. +| `gitlab_access_token_var_name` | `SIGNPATH_GITLAB_ACCESS_TOKEN` | The _GitLab Access Token_ that is used to retrieve [origin metadata](/documentation/origin-verification) from the GitLab instance. Requires the `read_api` scope. The component only allows providing the token via an environment variable. The name of the environment variable can be overwritten using this input. | `organization_id` | (mandatory) | The SignPath organization ID. | `project_slug` | (mandatory) | The SignPath project slug. | `signing_policy_slug` | (mandatory) | The SignPath signing policy slug. From 6d9935d4369cc082897f602e44148bae7e2cf940 Mon Sep 17 00:00:00 2001 From: Paul Savoie Date: Fri, 28 Nov 2025 08:51:03 +0100 Subject: [PATCH 10/12] improve text for GitLab --- docs/trusted-build-systems/gitlab.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/trusted-build-systems/gitlab.md b/docs/trusted-build-systems/gitlab.md index 6966e80..c809ead 100644 --- a/docs/trusted-build-systems/gitlab.md +++ b/docs/trusted-build-systems/gitlab.md @@ -76,7 +76,7 @@ For all organizations that don't support _Docker Executors_, we provide a CLI to | `artifact_configuration_slug` | | The SignPath artifact configuration slug. | `gitlab_artifact_job_name` | (mandatory) | The name of the job that published the artifact to be signed. | `gitlab_artifact_path` | (mandatory) | The path within the GitLab artifact. -| `output_artifact_path` | | Path to where the signed artifact will be stored. +| `output_artifact_path` | | Path to where the signed artifact will be stored. If not specified, the task will not download the signed artifact from SignPath. | `wait_for_completion` | `true` | Wait for the signing request to complete. If set to true, the signed artifact will be published. | `parameters` | | List of key/value pairs that map to [user-defined parameters](/artifact-configuration/syntax#parameters) in the Artifact Configuration. | `wait_for_completion_timeout_in_seconds` | `600` | Maximum time in seconds that the job/tool will wait for the signing request to complete. From d00517cd71bdb0f8477d6f77294ca45f08560945 Mon Sep 17 00:00:00 2001 From: Paul Savoie Date: Fri, 28 Nov 2025 08:56:53 +0100 Subject: [PATCH 11/12] improved sample and adds info about multiple files --- docs/trusted-build-systems/gitlab.md | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/docs/trusted-build-systems/gitlab.md b/docs/trusted-build-systems/gitlab.md index c809ead..ff40e70 100644 --- a/docs/trusted-build-systems/gitlab.md +++ b/docs/trusted-build-systems/gitlab.md @@ -42,8 +42,7 @@ include: signing_policy_slug: release-signing gitlab_artifact_job_name: build_job gitlab_artifact_path: output/my-executable - wait_for_completion: true - output_artifact_path: + output_artifact_path: output/my-signed-executable parameters: - myparam: myvalue @@ -52,11 +51,17 @@ build_job: script: - echo "Building some software..." artifacts: - - output/my-executable + paths: + - output/my-signed-executable ``` All values can also be provided via environment variables. See the [parameter list](#supported-parameters) for a complete list of all supported inputs. +{:.panel.info} +> **Signing multiple files** +> +> If you want to sign multiple files in a single signing request, you have to create and publish a dedicated ZIP archive in your build step and modify your artifact configuration on SignPath accordingly. + ### Setups that don't include _Docker Executors_ For all organizations that don't support _Docker Executors_, we provide a CLI tool can be directly invoked. Please contact our [support team](https://signpath.io/support) for details. From 30b9fa1a5cf6c8dc2aafbb951fc67a8dbe38115c Mon Sep 17 00:00:00 2001 From: Paul Savoie Date: Fri, 28 Nov 2025 09:02:07 +0100 Subject: [PATCH 12/12] fixes env vars --- docs/trusted-build-systems/gitlab.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/trusted-build-systems/gitlab.md b/docs/trusted-build-systems/gitlab.md index ff40e70..8122d5c 100644 --- a/docs/trusted-build-systems/gitlab.md +++ b/docs/trusted-build-systems/gitlab.md @@ -55,7 +55,7 @@ build_job: - output/my-signed-executable ``` -All values can also be provided via environment variables. See the [parameter list](#supported-parameters) for a complete list of all supported inputs. +See the [parameter list](#supported-parameters) for a complete list of all supported inputs. {:.panel.info} > **Signing multiple files**