chore: create initial repository layout and package

[Racer159]

This sets up the initial repository layout and package for the uds sigstore package.

[bburky]

TODO. Remind me if I don't get back to this

• rekor PKI. What CA root will it use?
• fulcio use non-exportable crypto (KMS or HSM)
• rekor non-exportable crypto
• ct non-exportable crypto
• rekor and ct uptime requirements? (is it like WebPKI where the CT log "fails" if it's down?)
• GitLab JWTs are ok-ish for OIDC signing. Better would be at a even lower root from infra. Like I think some of the AWS things can give you attestation too. Maybe just do dual Cosign signatures with each identity? Especially if we use dedicated EC2s to improve runner security sandboxing/isolation
• uds/zarf sigs? (basically, review things that would actually use the signatures that this creates)
  • Does zarf preserve image hashes?
  • zarf/uds does not currently use oci cosign signatures, should it? these are more secure in some respects, can be validated before decompression. Less good if the signature can't be transferred to zarf/uds tarballs
  • uds mutates zarf packages? this would invalidate signatures?
  • zarf probably should check cosign oci signatures during create? checking during deploy isn't needed probably
  • Does Zarf copy cosign image signatures into the zarf registry during deploy?
• How/when/if we plan to have UDS check image signatures at runtime?
  • runtime is good, because if any other images run in the cluster (from k8s distro, or externally from non-zarf-injected images) they get verified too
• Keycloak security
  • Keycloak support for public clients and device flow (enables sigstore) uds-core#509 (comment)
  • This also changes the security model of keycloak/OIDC to become a source of trust for artifacts too.

[zachariahmiller]

See review comments. I have deployed locally and everything appears good. As the tests are primarily status checks though it would be nice to additionally have a test that validates the tools working together and/or some sort of quickstart doc to verify everything is working together correctly.

[bburky]

current sigstore stack to use (basically all of sigstore)

• rekor
• ctlog
• fulcio
• trillian
• tsa
• tuf

In support of using witness to do in-toto attestations of GitLab CI pipeline runs, using JWT identity. In-toto attestations will be stored in archivista.

Not currently supporting UDS package development or UDS prod deployment (will be for SWF customer envs only).

[zachariahmiller]

@Racer159 So aside from my comment (bump task versions) i think its good to go for the initial testing/proof of concept. Most of what would be outstanding beyond that is noted in your TODOs, but i think mostly amounts to:

1. monitoring
2. flavor if even possible (assuming not)
3. Using external Mariadb package
4. not using the memory signer for tsa
5. proper testing implemented in repo.
6. removal of the peer auth (probably by getting uds-core to support k8s native sidecars)

If you can bump the task versions happy to approve.

[zachariahmiller]

[Racer159]

(added issues for the above follow ons)