add circleci info to fulcio

[meeech]

Summary

#591

We would like to add CircleCI as a trusted publisher for pypi (among others).

Release Note

TBD

Documentation

TBD

For Discussion

re: runner_environment while I copied what codefresh did, i am thinking a better expression of the intent of runner_environment might be expressed something like

runner_environment: {{if eq .'oidc.circleci.com/ssh-rerun' "true"}}ssh-rerun{{ else }}""{{end}}

Basically we should never trust a package from an enviroment where ssh-rerun was used.

re: SAN - made the same choice as GHA. I am open to changing it though.

Example of OIDC token

This was generated via circleci run oidc get --claims '{"aud": "pypi"}'

aud is the only customizeable field in the token.

{
  "aud": "pypi",
  "exp": 1763075032,
  "iat": 1763071432,
  "iss": "https://oidc.circleci.com/org/a64b0a19-f221-4291-b000-8d24bd842b72",
  "oidc.circleci.com/context-ids": [
    "a74579f1-2e7d-451e-b009-5c082ad2729e",
    "cb32986e-2f6f-4f43-b2bd-d3c2fd98e903"
  ],
  "oidc.circleci.com/org-id": "a64b0a19-f221-4291-b000-8d24bd842b72",
  "oidc.circleci.com/pipeline-definition-id": "17c50866-1802-5aeb-874e-7f4dfce1b6b5",
  "oidc.circleci.com/pipeline-id": "cd267951-f409-44fc-a0f0-81512f5840b0",
  "oidc.circleci.com/project-id": "5a301f56-eaa7-4cce-9441-37810f7c8452",
  "oidc.circleci.com/ssh-rerun": false,
  "oidc.circleci.com/vcs-origin": "github.com/circleci-petri/quality-agent-target",
  "oidc.circleci.com/vcs-ref": "refs/heads/main",
  "sub": "org/a64b0a19-f221-4291-b000-8d24bd842b72/project/5a301f56-eaa7-4cce-9441-37810f7c8452/user/ac1a9b7e-9d5e-4cf0-ae16-30af9e8c1cf8/vcs-origin/github.com/circleci-petri/quality-agent-target/vcs-ref/refs/heads/main"
}

[meeech]

marking as ready for review as I am ready to discuss this

[meeech]

One of the issues I'm not sure of is how the template system will interact with claims that include a . like oidc.circleci.com/org-id

[haydentherapper]

Note that with something like runner_environment: {{if eq .'oidc.circleci.com/ssh-rerun' "true"}}ssh-rerun{{ else }}""{{end}}, the runner environment extension will be omitted when the value is an empty string. That sounds like a reasonable way to handle this.

[haydentherapper]

This looks good to me! The build signer URI and cert subject being the definition of the pipeline sounds good, with the build config URI pointing to a specific instance of that pipeline.

For handling a period in the token claim name, I got to learn something new! You'll need to use {{ index . "claim.name" }}, or at least I couldn't find another solution. https://go.dev/play/p/kN6slXYC6pC to test this.

[meeech]

This looks good to me! The build signer URI and cert subject being the definition of the pipeline sounds good, with the build config URI pointing to a specific instance of that pipeline.

For handling a period in the token claim name, I got to learn something new! You'll need to use {{ index . "claim.name" }}, or at least I couldn't find another solution. https://go.dev/play/p/kN6slXYC6pC to test this.

cool. and thanks for that test page. Just want to check I am understanding correctly - in ciprovider/principal.go - the ssh-rerun will be cast to a string.

Where is the right place to document the "runner_environment": "ssh-rerun" value and what it represents so people know to reject if its present?

here's my test sheet: https://go.dev/play/p/jTkisalDZNQ

[haydentherapper]

cool. and thanks for that test page. Just want to check I am understanding correctly - in ciprovider/principal.go - the ssh-rerun will be cast to a string.

Correct, all extension values will be strings.

Where is the right place to document the "runner_environment": "ssh-rerun" value and what it represents so people know to reject if its present?

I'd add it to the table in the CI provider documentation, and I'd suggest publishing documentation on CircleCI like https://docs.gitlab.com/ci/yaml/signing_examples/ that describes how to sign and verify.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 44.85%. Comparing base (cf238ac) to head (2159a8a).
⚠️ Report is 512 commits behind head on main.

Additional details and impacted files

@@             Coverage Diff             @@
##             main    #2192       +/-   ##
===========================================
- Coverage   57.93%   44.85%   -13.09%     
===========================================
  Files          50       72       +22     
  Lines        3119     4682     +1563     
===========================================
+ Hits         1807     2100      +293     
- Misses       1154     2343     +1189     
- Partials      158      239       +81     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[haydentherapper]

LGTM! Just one minor comment. Can you update the PR title once it's ready to be merged?

[haydentherapper]

I'll get this merged to our staging environment shortly so you can verify the certificate extensions are correct. Once you let me know everything looks good, we can enable it in production.

We should also update Cosign with support for automatically fetching CircleCI credentials from the environment. It looks like CircleCI has support for requesting custom audiences, which is needed as the audience must be sigstore. You can test either by calling Fulcio directly with an identity token, calling cosign sign-blob with --identity-token, or calling cosign sign-blob once we've added support for fetching credentials.

To test against our staging environment from a workflow (this assumes the latest version of Cosign)

# Initialize TUF metadata
curl -O https://raw.githubusercontent.com/sigstore/root-signing-staging/main/metadata/root_history/1.root.json
cosign initialize --mirror=https://tuf-repo-cdn.sigstage.dev --root=1.root.json

# Grab list of staging service URLs
curl -O https://raw.githubusercontent.com/sigstore/root-signing-staging/refs/heads/main/targets/signing_config.v0.2.json

# Sign
cosign sign-blob --signing-config signing_config_v0.2.json --bundle test.sigstore.json README.md

# Inspect extensions
cat test.sigstore.json | jq -r .verificationMaterial.certificate.rawBytes | base64 -d | openssl x509 -text -noout

[haydentherapper]

@meeech I forgot we also needed to add a block like

fulcio/config/identity/config.yaml

Lines 28 to 34 in c4d4789

	https://agent.buildkite.com:
	issuer-url: https://agent.buildkite.com
	client-id: sigstore
	type: ci-provider
	ci-provider: *buildkite-type
	contact: [email protected]
	description: "Buildkite Agent OIDC tokens for job identity"

for the URL of the OIDC endpoint to authenticate tokens. Can you add this in another PR?