pdftract/notes/pdftract-8eo1.md

pdftract-8eo1: Cosign Keyless Signing Implementation

Date: 2026-05-20

Current State Analysis

What's Already Implemented ✅

1. cosign installed in signing workflows

   • pdftract-github-release.yaml uses ghcr.io/sigstore/cosign:v2.2.3
   • pdftract-docker-build.yaml uses ghcr.io/sigstore/cosign:v2.2.3

2. OIDC token projection configured

   • Both templates use projected service account tokens with audience: sigstore
   • Token mounted at /var/run/secrets/tokens/oidc-token

3. SHA256SUMS signing implemented

   • pdftract-github-release.yaml signs SHA256SUMS with cosign sign-blob
   • Outputs: SHA256SUMS.sig, SHA256SUMS.pem

4. Docker image signing implemented

   • pdftract-docker-build.yaml signs all 3 variants (latest, ocr, full)
   • Uses cosign sign --yes with digest references

5. SLSA provenance implemented

   • pdftract-docker-build.yaml attests with cosign attest --type slsaprovenance
   • Provenance includes builder ID, build config, materials, metadata

6. README verification documentation

   • /home/coding/pdftract/README.md has complete "Verifying Releases" section
   • Documents cosign verify-blob and cosign verify commands

Critical Issue Found ⚠️

The OIDC issuer https://iad-ci-oidc.ardenone.com is NOT registered with public Sigstore Fulcio

From the Fulcio config, the public instance only accepts:

• Email issuers (accounts.google.com, etc.)
• CI providers (GitHub Actions, GitLab, Buildkite, CircleCI, Codefresh)
• Kubernetes issuers (EKS, GKE, AKS patterns)
• Chainguard identity issuers

Current workflow configuration:

COSIGN_OIDC_ISSUER: "https://iad-ci-oidc.ardenone.com"
COSIGN_CERTIFICATE_IDENTITY: "https://iad-ci-oidc.ardenone.com.*"

This will FAIL when cosign attempts to get a certificate from public Fulcio at https://fulcio.sigstore.dev.

Root Cause Analysis

The iad-ci cluster (Rackspace Spot) has an OIDC issuer that is not in the public Fulcio trust domain. Unlike GitHub Actions (token.actions.githubusercontent.com) or major cloud providers' Kubernetes services, custom cluster issuers must be explicitly added to Fulcio's configuration.

Resolution Options

Option 1: Register with Public Fulcio (RECOMMENDED for v1.0)

1. Open PR against sigstore/fulcio to add iad-ci issuer
2. Subject: Add https://iad-ci-oidc.ardenone.com to trusted issuers
3. Must meet Fulcio's requirements for issuer trustworthiness
4. Timeline: Unknown (depends on Sigstore maintainer review)

Option 2: Self-Hosted Fulcio (DEFERRED to v1.1+ per bead description)

• Deploy private Fulcio instance in iad-ci cluster
• Configure cosign to use private Fulcio endpoint
• Requires additional infrastructure and maintenance

Option 3: Use Alternative OIDC Issuer (WORKAROUND)

• Check if Rackspace Spot provides a Kubernetes OIDC issuer matching Fulcio's meta-issuer patterns
• May require cluster configuration changes

Acceptance Criteria Status

Criterion	Status	Notes
cosign installed in signing templates	✅ PASS	Both templates use ghcr.io/sigstore/cosign:v2.2.3
OIDC issuer registered with Sigstore	❌ FAIL	https://iad-ci-oidc.ardenone.com not in public Fulcio config
SHA256SUMS.sig produced	✅ PASS	Implemented in pdftract-github-release.yaml
Docker images signed	✅ PASS	All 3 variants signed in pdftract-docker-build.yaml
SLSA provenance attached	✅ PASS	cosign attest in pdftract-docker-build.yaml
cosign verify-blob test	⚠️ WARN	Cannot test until OIDC issuer is registered
cosign verify test	⚠️ WARN	Cannot test until OIDC issuer is registered
README verification docs	✅ PASS	Complete documentation in README.md

Files Analyzed

In declarative-config:

• /home/coding/declarative-config/k8s/iad-ci/argo-workflows/pdftract-github-release.yaml

  • Lines 439-508: sign-sums template
  • Uses: cosign sign-blob --oidc-issuer-url="${COSIGN_OIDC_ISSUER}"

• /home/coding/declarative-config/k8s/iad-ci/argo-workflows/pdftract-docker-build.yaml

  • Lines 317-449: sign-image template
  • Uses: cosign sign --oidc-issuer-url="${COSIGN_OIDC_ISSUER}"
  • Uses: cosign attest --type slsaprovenance

In pdftract:

• /home/coding/pdftract/README.md
  • Lines 50-110: "Verifying Releases" section
  • Documents verification commands

Recommended Next Steps

1. Determine actual OIDC issuer URL for iad-ci cluster

   • Check cluster OIDC configuration
   • May differ from https://iad-ci-oidc.ardenone.com

2. If using custom issuer: Open PR with sigstore/fulcio

   • Template: https://github.com/sigstore/fulcio/pull/new
   • Add entry to config/identity/config.yaml under oidc-issuers:
   • Include: issuer-url, client-id, type, contact, description

3. If using Kubernetes OIDC: Match meta-issuer pattern

   • Check if issuer matches https://oidc.eks.*.amazonaws.com/id/* (EKS)
   • Check if issuer matches GKE/AKS patterns
   • May need to configure cluster OIDC to use supported pattern

4. Test verification once issuer is registered:

   # Test blob verification
   cosign verify-blob \
     --certificate-identity-regexp 'https://iad-ci-oidc.ardenone.com.*' \
     --certificate-oidc-issuer 'https://iad-ci-oidc.ardenone.com' \
     --signature SHA256SUMS.sig \
     SHA256SUMS
   
   # Test image verification
   cosign verify \
     --certificate-identity-regexp 'https://iad-ci-oidc.ardenone.com.*' \
     --certificate-oidc-issuer 'https://iad-ci-oidc.ardenone.com' \
     ghcr.io/jedarden/pdftract:X.Y.Z
   

Sources

• Sigstore Fulcio Configuration
• Sigstore OIDC Documentation
• Cosign Keyless Signing Guide