diff --git a/doc/ci/yaml/signing_examples.md b/doc/ci/yaml/signing_examples.md index 0ff0a528e9b8ccefd30ae03a1144554d4d2f7e96..1856d10ca69fa4d4f5b3ec372c667473460514c8 100644 --- a/doc/ci/yaml/signing_examples.md +++ b/doc/ci/yaml/signing_examples.md @@ -11,12 +11,12 @@ DETAILS: **Offering:** GitLab.com The [Sigstore](https://www.sigstore.dev/) project provides a CLI called -[Cosign](https://docs.sigstore.dev/signing/quickstart/) which can be used for keyless signing of container images built +[Cosign](https://docs.sigstore.dev/quickstart/quickstart-cosign/) which can be used for keyless signing of container images built with GitLab CI/CD. Keyless signing has many advantages, including eliminating the need to manage, safeguard, and rotate a private key. Cosign requests a short-lived key pair to use for signing, records it on a certificate transparency log, and then discards it. The key is generated through a token obtained from the GitLab server using the OIDC identity of the user who ran the pipeline. This token includes unique claims that certify the token was generated by a CI/CD pipeline. To learn more, -see Cosign [documentation](https://docs.sigstore.dev/signing/quickstart/#example-working-with-containers) on keyless signatures. +see Cosign [documentation](https://docs.sigstore.dev/quickstart/quickstart-cosign/#example-working-with-containers) on keyless signatures. For details on the mapping between GitLab OIDC claims and Fulcio certificate extensions, see the GitLab column of [Mapping OIDC token claims to Fulcio OIDs](https://github.com/sigstore/fulcio/blob/main/docs/oid-info.md#mapping-oidc-token-claims-to-fulcio-oids). @@ -44,11 +44,11 @@ Prerequisites: - When signing container images, sign the digest (which is immutable) instead of the tag. GitLab [ID tokens](../secrets/id_token_authentication.md#id-tokens) can be used by Cosign for -[keyless signing](https://docs.sigstore.dev/signing/quickstart/). The token must have +[keyless signing](https://docs.sigstore.dev/quickstart/quickstart-cosign/#keyless-signing-of-a-container). The token must have `sigstore` set as the [`aud`](../secrets/id_token_authentication.md#token-payload) claim. The token can be used by Cosign automatically when it is set in the `SIGSTORE_ID_TOKEN` environment variable. -To learn more about how to install Cosign, see [Cosign Installation documentation](https://docs.sigstore.dev/system_config/installation/). +To learn more about how to install Cosign, see [Cosign Installation documentation](https://docs.sigstore.dev/cosign/system_config/installation/). ### Signing @@ -63,14 +63,14 @@ include: - template: Cosign.gitlab-ci.yml ``` -To learn more about signing containers, see [Cosign Signing Containers documentation](https://docs.sigstore.dev/signing/signing_with_containers/). +To learn more about signing containers, see [Cosign Signing Containers documentation](https://docs.sigstore.dev/cosign/signing/signing_with_containers/). #### Build artifacts The example below demonstrates how to sign a build artifact in GitLab CI. You should save the `cosign.bundle` file produced by `cosign sign-blob`, which is used for signature verification. -To learn more about signing artifacts, see [Cosign Signing Blobs documentation](https://docs.sigstore.dev/signing/signing_with_blobs/). +To learn more about signing artifacts, see [Cosign Signing Blobs documentation](https://docs.sigstore.dev/cosign/signing/signing_with_blobs/). ```yaml build_and_sign_artifact: @@ -102,7 +102,7 @@ build_and_sign_artifact: | `--certificate-oidc-issuer` | The GitLab instance URL where the image/artifact was signed. For example, `https://gitlab.com`. | | `--bundle` | The `bundle` file produced by `cosign sign-blob`. Only used for verifying build artifacts. | -To learn more about verifying signed images/artifacts, see [Cosign Verifying documentation](https://docs.sigstore.dev/verifying/verify/). +To learn more about verifying signed images/artifacts, see [Cosign Verifying documentation](https://docs.sigstore.dev/cosign/verifying/verify/). #### Container images