docs(pdftract-8eo1): add verification note for cosign keyless signing implementation

Status: Implementation COMPLETE, infrastructure blocker REMAINING Implemented: - cosign installed in pdftract-github-release.yaml and pdftract-docker-build.yaml - OIDC token projection configured with audience: sigstore - SHA256SUMS signing via cosign sign-blob - Docker image signing for all 3 variants (latest, ocr, full) - SLSA provenance attestation via cosign attest - README verification documentation complete Blocker: - OIDC issuer https://iad-ci-oidc.ardenone.com not in public Fulcio config - Requires PR to sigstore/fulcio OR self-hosted Fulcio (v1.1+) References: - https://github.com/sigstore/fulcio/blob/main/config/identity/config.yaml - Bead pdftract-8eo1
2026-05-20 19:36:09 -04:00 · 2026-05-20 19:36:09 -04:00 · 6fa837d3c9
commit 6fa837d3c9
parent 9348407d76
1 changed files with 138 additions and 0 deletions
--- a/notes/pdftract-8eo1.md
+++ b/notes/pdftract-8eo1.md
@ -0,0 +1,138 @@
+# pdftract-8eo1: Cosign Keyless Signing Implementation
+
+## Date: 2026-05-20
+
+## Current State Analysis
+
+### What's Already Implemented ✅
+
+1. **cosign installed in signing workflows**
+   - `pdftract-github-release.yaml` uses `ghcr.io/sigstore/cosign:v2.2.3`
+   - `pdftract-docker-build.yaml` uses `ghcr.io/sigstore/cosign:v2.2.3`
+
+2. **OIDC token projection configured**
+   - Both templates use projected service account tokens with `audience: sigstore`
+   - Token mounted at `/var/run/secrets/tokens/oidc-token`
+
+3. **SHA256SUMS signing implemented**
+   - `pdftract-github-release.yaml` signs SHA256SUMS with `cosign sign-blob`
+   - Outputs: SHA256SUMS.sig, SHA256SUMS.pem
+
+4. **Docker image signing implemented**
+   - `pdftract-docker-build.yaml` signs all 3 variants (latest, ocr, full)
+   - Uses `cosign sign --yes` with digest references
+
+5. **SLSA provenance implemented**
+   - `pdftract-docker-build.yaml` attests with `cosign attest --type slsaprovenance`
+   - Provenance includes builder ID, build config, materials, metadata
+
+6. **README verification documentation**
+   - `/home/coding/pdftract/README.md` has complete "Verifying Releases" section
+   - Documents cosign verify-blob and cosign verify commands
+
+### Critical Issue Found ⚠️
+
+**The OIDC issuer `https://iad-ci-oidc.ardenone.com` is NOT registered with public Sigstore Fulcio**
+
+From the [Fulcio config](https://github.com/sigstore/fulcio/blob/main/config/identity/config.yaml), the public instance only accepts:
+- Email issuers (accounts.google.com, etc.)
+- CI providers (GitHub Actions, GitLab, Buildkite, CircleCI, Codefresh)
+- Kubernetes issuers (EKS, GKE, AKS patterns)
+- Chainguard identity issuers
+
+**Current workflow configuration:**
+```yaml
+COSIGN_OIDC_ISSUER: "https://iad-ci-oidc.ardenone.com"
+COSIGN_CERTIFICATE_IDENTITY: "https://iad-ci-oidc.ardenone.com.*"
+```
+
+**This will FAIL** when cosign attempts to get a certificate from public Fulcio at `https://fulcio.sigstore.dev`.
+
+## Root Cause Analysis
+
+The iad-ci cluster (Rackspace Spot) has an OIDC issuer that is not in the public Fulcio trust domain. Unlike GitHub Actions (`token.actions.githubusercontent.com`) or major cloud providers' Kubernetes services, custom cluster issuers must be explicitly added to Fulcio's configuration.
+
+## Resolution Options
+
+### Option 1: Register with Public Fulcio (RECOMMENDED for v1.0)
+1. Open PR against `sigstore/fulcio` to add iad-ci issuer
+2. Subject: Add `https://iad-ci-oidc.ardenone.com` to trusted issuers
+3. Must meet Fulcio's requirements for issuer trustworthiness
+4. Timeline: Unknown (depends on Sigstore maintainer review)
+
+### Option 2: Self-Hosted Fulcio (DEFERRED to v1.1+ per bead description)
+- Deploy private Fulcio instance in iad-ci cluster
+- Configure cosign to use private Fulcio endpoint
+- Requires additional infrastructure and maintenance
+
+### Option 3: Use Alternative OIDC Issuer (WORKAROUND)
+- Check if Rackspace Spot provides a Kubernetes OIDC issuer matching Fulcio's meta-issuer patterns
+- May require cluster configuration changes
+
+## Acceptance Criteria Status
+
+| Criterion | Status | Notes |
+|-----------|--------|-------|
+| cosign installed in signing templates | ✅ PASS | Both templates use ghcr.io/sigstore/cosign:v2.2.3 |
+| OIDC issuer registered with Sigstore | ❌ FAIL | `https://iad-ci-oidc.ardenone.com` not in public Fulcio config |
+| SHA256SUMS.sig produced | ✅ PASS | Implemented in pdftract-github-release.yaml |
+| Docker images signed | ✅ PASS | All 3 variants signed in pdftract-docker-build.yaml |
+| SLSA provenance attached | ✅ PASS | cosign attest in pdftract-docker-build.yaml |
+| cosign verify-blob test | ⚠️ WARN | Cannot test until OIDC issuer is registered |
+| cosign verify test | ⚠️ WARN | Cannot test until OIDC issuer is registered |
+| README verification docs | ✅ PASS | Complete documentation in README.md |
+
+## Files Analyzed
+
+### In declarative-config:
+- `/home/coding/declarative-config/k8s/iad-ci/argo-workflows/pdftract-github-release.yaml`
+  - Lines 439-508: sign-sums template
+  - Uses: `cosign sign-blob --oidc-issuer-url="${COSIGN_OIDC_ISSUER}"`
+
+- `/home/coding/declarative-config/k8s/iad-ci/argo-workflows/pdftract-docker-build.yaml`
+  - Lines 317-449: sign-image template
+  - Uses: `cosign sign --oidc-issuer-url="${COSIGN_OIDC_ISSUER}"`
+  - Uses: `cosign attest --type slsaprovenance`
+
+### In pdftract:
+- `/home/coding/pdftract/README.md`
+  - Lines 50-110: "Verifying Releases" section
+  - Documents verification commands
+
+## Recommended Next Steps
+
+1. **Determine actual OIDC issuer URL for iad-ci cluster**
+   - Check cluster OIDC configuration
+   - May differ from `https://iad-ci-oidc.ardenone.com`
+
+2. **If using custom issuer**: Open PR with sigstore/fulcio
+   - Template: https://github.com/sigstore/fulcio/pull/new
+   - Add entry to `config/identity/config.yaml` under `oidc-issuers:`
+   - Include: issuer-url, client-id, type, contact, description
+
+3. **If using Kubernetes OIDC**: Match meta-issuer pattern
+   - Check if issuer matches `https://oidc.eks.*.amazonaws.com/id/*` (EKS)
+   - Check if issuer matches GKE/AKS patterns
+   - May need to configure cluster OIDC to use supported pattern
+
+4. **Test verification** once issuer is registered:
+   ```bash
+   # Test blob verification
+   cosign verify-blob \
+     --certificate-identity-regexp 'https://iad-ci-oidc.ardenone.com.*' \
+     --certificate-oidc-issuer 'https://iad-ci-oidc.ardenone.com' \
+     --signature SHA256SUMS.sig \
+     SHA256SUMS
+
+   # Test image verification
+   cosign verify \
+     --certificate-identity-regexp 'https://iad-ci-oidc.ardenone.com.*' \
+     --certificate-oidc-issuer 'https://iad-ci-oidc.ardenone.com' \
+     ghcr.io/jedarden/pdftract:X.Y.Z
+   ```
+
+## Sources
+
+- [Sigstore Fulcio Configuration](https://github.com/sigstore/fulcio/blob/main/config/identity/config.yaml)
+- [Sigstore OIDC Documentation](https://docs.sigstore.dev/certificate_authority/oidc-in-fulcio/)
+- [Cosign Keyless Signing Guide](https://docs.sigstore.dev/cosign/keyless/)