diff --git a/docs/oid-info.md b/docs/oid-info.md index 1d85f272a..ecdd1212b 100644 --- a/docs/oid-info.md +++ b/docs/oid-info.md @@ -189,28 +189,27 @@ that Sigstore operates. ## Mapping OIDC token claims to Fulcio OIDs -| GitHub [(docs)][github-oidc-doc] | GitLab [(docs)](https://docs.gitlab.com/ee/ci/secrets/id_token_authentication.html#token-payload) | CircleCI | Buildkite | Codefresh [(docs)](https://codefresh.io/docs/docs/integrations/oidc-pipelines/) | Fulcio Certificate Extension | Why / Notes / Questions | -|----------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------|----------|--------------|---------------------------------------------------------------------------------|-----------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| aud | aud | aud | aud | aud | N/A | Only used to validate the JWT. | -| iss | iss | iss | iss | iss | Issuer | This already exists. For example: https://token.actions.githubusercontent.com | -| exp | exp | exp | exp | exp | N/A | Only used to validate the JWT. | -| nbf | nbf | nbf | nbf | nbf | N/A | Only used to validate the JWT. Optional, as per the OIDC spec | -| iat | iat | iat | iat | iat | N/A | Only used to validate the JWT. | -| server_url + job_workflow_ref | ci_config_ref_uri ([WIP][gitlab-wip-cliams]) | ?? | ?? | platform_url + /build/ + workflow_id | Build Signer URI | Reference to specific build instructions that are responsible for signing. Can be the same as Build Config URI. For example a reusable workflow in GitHub Actions or a Circle CI Orbs. | -| job_workflow_sha | ci_config_sha ([WIP][gitlab-wip-cliams]) | ?? | ?? | N/A | Build Signer Digest | An immutable reference to the specific version of the build instructions that is responsible for signing. May include the digest type followed by the digest, e.g. `sha1:abc123`. | -| runner_environment | runner_environment | ?? | ?? | runner_environment | Runner Environment | For platforms to specify whether the build took place in platform-hosted cloud infrastructure or customer-hosted infrastructure. For example: `platform-hosted` and `self-hosted`. | -| server_url + repository | server_url + project_path | ?? | ?? | scm_repo_url | Source Repository URI | Should include a fully qualified repository URL. | -| sha | sha | ?? | build_commit | N/A | Source Repository Digest | An immutable reference to a specific version of the source code. May include the digest type followed by the digest, e.g. `sha1:abc123`. | -| ref | ref | ?? | build_branch | scm_ref | Source Repository Ref | The source ref that the build run was based upon. For example: refs/head/main. | -| repository_id | project_id | ?? | ?? | N/A | Source Repository Identifier | Stable identifier for the owner of the source repository. | -| server_url + repository_owner | server_url + namespace_path | ?? | ?? | N/A | Source Repository Owner URI | Fully qualified URL for the owner of the source repository. | -| repository_owner_id | namespace_id | ?? | ?? | N/A | Source Repository Owner Identifier | Stable identifier for the owner of the source repository. | -| server_url + workflow_ref | ci_config_ref_uri ([WIP][gitlab-wip-cliams]) | ?? | ?? | platform_url + /api/pipelines/ + pipeline_id | Build Config URI | A reference to the initiating build instructions. | -| workflow_sha | ci_config_sha ([WIP][gitlab-wip-cliams]) | ?? | ?? | N/A | Build Config Digest | An immutable reference to the specific version of the top-level build instructions. May include the digest type followed by the digest, e.g. `sha1:abc123`. | -| event_name | pipeline_source | ?? | ?? | N/A | Build Trigger | The event or action that triggered the build. | -| server_url + repository + "/actions/runs/" + run_id + "/attempts/" + run_attempt | server_url + project_path + /-/jobs/ + job_id | ?? | ?? | platform_url + /build/ + workflow_id | Run Invocation URI | An immutable identifier that can uniquely identify the build execution | -| repository_visibility | project_visibility | ?? | ?? | N/A | Source Repository Visibility At Signing | Source repository visibility at the time of signing the certificate | +| GitHub [(docs)][github-oidc-doc] | GitLab [(docs)](https://docs.gitlab.com/ee/ci/secrets/id_token_authentication.html#token-payload) | Buildkite [(docs)](https://buildkite.com/docs/agent/v3/cli-oidc#claims) | Codefresh [(docs)](https://codefresh.io/docs/docs/integrations/oidc-pipelines/) | Fulcio Certificate Extension | Why / Notes / Questions | +|----------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------|---------------------------------------------------------------------------------|-----------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| aud | aud | aud | aud | N/A | Only used to validate the JWT. | +| iss | iss | iss | iss | Issuer | This already exists. For example: https://token.actions.githubusercontent.com | +| exp | exp | exp | exp | N/A | Only used to validate the JWT. | +| nbf | nbf | nbf | nbf | N/A | Only used to validate the JWT. Optional, as per the OIDC spec | +| iat | iat | iat | iat | N/A | Only used to validate the JWT. | +| server_url + job_workflow_ref | "https://" + ci_config_ref_uri | N/A | platform_url + "/build/" + workflow_id | Build Signer URI | Reference to specific build instructions that are responsible for signing. Can be the same as Build Config URI. For example a reusable workflow in GitHub Actions or a Circle CI Orbs. | +| job_workflow_sha | ci_config_sha | N/A | N/A | Build Signer Digest | An immutable reference to the specific version of the build instructions that is responsible for signing. May include the digest type followed by the digest, e.g. `sha1:abc123`. | +| runner_environment | runner_environment | N/A | runner_environment | Runner Environment | For platforms to specify whether the build took place in platform-hosted cloud infrastructure or customer-hosted infrastructure. For example: `platform-hosted` and `self-hosted`. | +| server_url + repository | server_url + project_path | N/A | scm_repo_url | Source Repository URI | Should include a fully qualified repository URL. | +| sha | sha | N/A | N/A | Source Repository Digest | An immutable reference to a specific version of the source code. May include the digest type followed by the digest, e.g. `sha1:abc123`. | +| ref | "ref/heads/" + ref **OR** "ref/tags/" + ref | N/A | scm_ref | Source Repository Ref | The source ref that the build run was based upon. For example: refs/head/main. | +| repository_id | project_id | N/A | N/A | Source Repository Identifier | Stable identifier for the owner of the source repository. | +| server_url + repository_owner | server_url + namespace_path | N/A | N/A | Source Repository Owner URI | Fully qualified URL for the owner of the source repository. | +| repository_owner_id | namespace_id | N/A | N/A | Source Repository Owner Identifier | Stable identifier for the owner of the source repository. | +| server_url + workflow_ref | "https://" + ci_config_ref_uri | N/A | platform_url + "/api/pipelines/" + pipeline_id | Build Config URI | A reference to the initiating build instructions. | +| workflow_sha | ci_config_sha | N/A | N/A | Build Config Digest | An immutable reference to the specific version of the top-level build instructions. May include the digest type followed by the digest, e.g. `sha1:abc123`. | +| event_name | pipeline_source | N/A | N/A | Build Trigger | The event or action that triggered the build. | +| server_url + repository + "/actions/runs/" + run_id + "/attempts/" + run_attempt | server_url + project_path + "/-/jobs/" + job_id | N/A | platform_url + "/build/" + workflow_id | Run Invocation URI | An immutable identifier that can uniquely identify the build execution | +| repository_visibility | project_visibility | N/A | N/A | Source Repository Visibility At Signing | Source repository visibility at the time of signing the certificate | [github-oidc-doc]: https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#understanding-the-oidc-token [oid-link]: http://oid-info.com/get/1.3.6.1.4.1.57264 -[gitlab-wip-cliams]: https://gitlab.com/gitlab-org/gitlab/-/issues/404722