Environment variable ID token detection

[wlynch]

Description

I'd like to propose adding environment variable OIDC token detection for cosign.

Main use case is to support GitLab CI OIDC tokens - see sigstore/fulcio#983 for more details.

Proposal

Today, users can already use arbitrary OIDC tokens by using the --identity-token flag.

cosign sign --identity-token=${TOKEN} ...

To make this easier, I want to allow cosign to detect a token from environment variables.
To help avoid collisions with existing token variables, we should use a prefixed value such as SIGSTORE_ID_TOKEN.

This could also be used to allow other CI providers to hook in without needing additional changes to cosign (though I'm still in support for allowing custom providers per host).

Example: GitLab

build:
  stage: build
  id_tokens:
    SIGSTORE_ID_TOKEN:
      aud: sigstore
  script:
     - cosign sign registry.gitlab.com/my-image

I'm happy to implement this.

Previous GitLab related issues:

• GitLab provider #2697
• Add GitLab Support for Ambient Credential Detection #1254

[haydentherapper]

I believe this has been implemented, prefixing the variable with COSIGN_ currently - #2346

[priyawadhwa]

How would this be different from setting COSIGN_IDENTITY_TOKEN?

[wlynch]

I didn't know about COSIGN_IDENTITY_TOKEN! (it wasn't implemented as a provider so I didn't see it)

I'd like to standardize on a SIGSTORE_ prefix so that we can have a consistent environment variable across clients, and implement this as a provider so it's easier to pull into other clients like Gitsign (until sigstore-go takes over providers).

[znewman01]

I wonder if it's worth trying to solve the COSIGN_ / SIGSTORE_ env var issue once and for all by accepting them both for every env var.