From 37a3f115f2205b437d2c15c79dd4b903666e270c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Antoine=20Beaupr=C3=A9?= <anarcat@debian.org>
Date: Mon, 17 Jan 2022 16:47:12 -0500
Subject: [PATCH] another option for code signing that is interesting

---
 howto/gitlab.md | 22 ++++++++++++++++++++++
 1 file changed, 22 insertions(+)

diff --git a/howto/gitlab.md b/howto/gitlab.md
index 20648d6ef..4e6ebd78b 100644
--- a/howto/gitlab.md
+++ b/howto/gitlab.md
@@ -1199,6 +1199,28 @@ explicitly says:
 We do not currently have plans to get rid of OpenPGP internally, but
 it's still nice to have options.
 
+### Lorenc: sigstore
+
+[Dan Lorenc][], an engineer at Google, designed a tool that allows
+users to sign "artifacts". Typically, those are container images
+(e.g. [cosign](https://github.com/sigstore/cosign) is named so because it signs "containers"), but
+anything can be signed.
+
+It also works with a transparency log server called [rekor](https://github.com/sigstore/rekor). They
+run a public instance, but we could also run our own. It is currently
+unclear if we could have both, but it's apparently possible to run a
+"monitor" that would check the log for consistency.
+
+There's also a system for [signing binaries with ephemeral keys](https://shibumi.dev/posts/first-look-into-cosign/)
+which seems counter-intuitive but actually works nicely for CI jobs.
+
+Seems very promising, maintained by Google, RedHat, and supported by
+the Linux foundation. Complementary to [in-toto][] and [TUF][].
+
+[TUF]: https://theupdateframework.io/
+[in-toto]: https://github.com/in-toto/in-toto
+[Dan Lorenc]: https://github.com/dlorenc
+
 ### Other caveats
 
 Also note that git has limited security guarantees regarding
-- 
GitLab