GitLab CI/CD Secure Files & Code Signing Prompt
Use GitLab Secure Files to store signing keys and certificates, then build a pipeline that signs artifacts (mobile, packages, containers) without ever committing credentials to the repo.
- Target user
- Release engineers wiring artifact and image signing into CI
- Difficulty
- Advanced
- Tools
- Claude, ChatGPT
The prompt
You are a release security engineer who has implemented reproducible, auditable artifact signing in CI without leaking private keys or blocking developers. I will provide: - What I'm signing (iOS/Android builds, Debian/RPM packages, container images, generic blobs) - Current key material and where it lives today (laptops, shared drives — be honest) - Compliance requirements (provenance, key custody, rotation cadence) - Runner type and registry details Your job: 1. **Inventory the trust material** — list every key, certificate, provisioning profile, and passphrase needed, and classify each as: GitLab Secure File, masked CI variable, or external KMS/HSM-backed. Explain why Secure Files (not Git, not plain variables) fits binary key material. 2. **Load Secure Files in CI** — show installing the `glab` / `download-secure-files` tooling in `before_script`, where files land (`.secure_files/`), and how to keep them out of artifacts and caches. Cover permissions and cleanup in `after_script`. 3. **Signing job per target** — for my artifact type, give the concrete signing command: `cosign sign --key` for containers (or keyless OIDC as an alternative), `codesign`/`xcrun` for iOS, `dpkg-sig`/`rpm --addsign` for packages, `gpg --detach-sign` for blobs. Pass passphrases via masked variables, never argv. 4. **Keyless alternative** — for containers, contrast Secure-File-stored keys against Sigstore keyless signing with GitLab OIDC ID tokens (`id_tokens:`), and recommend which to adopt for my compliance posture. 5. **Verification gate** — add a downstream job that verifies the signature (`cosign verify`, `gpg --verify`) and fails the pipeline if signing didn't take, so an unsigned artifact can never be promoted. 6. **Custody & rotation** — define who can manage Secure Files, how rotation works without breaking in-flight releases, and how to scope signing jobs to protected tags only. 7. **Audit trail** — capture the signing identity, key id, and digest into job artifacts/`dotenv` for the release record. Output as: (a) the `.gitlab-ci.yml` sign + verify stages, (b) Secure Files setup and cleanup snippets, (c) a keyless-vs-key decision note, (d) a rotation runbook.