fulcio icon indicating copy to clipboard operation
fulcio copied to clipboard
verified publisher icon sigstore

GitLab: ci_config_ref_uri can be empty

Open haydentherapper opened this issue 1 month ago • 3 comments

Description

Version

I've noticed errors in our server logs: template: :1:11: executing "" at <.ci_config_ref_uri>: map has no entry for key "ci_config_ref_uri". This is coming from the ciprovider issuer where the mapping between certificate extensions and token claims is specified in a template. ci_config_ref_uri is a token claim for GitLab that's used for the subject alternative name and build signer URI.

From the GitLab docs on ci_config_ref_uri, "If the pipeline definition is not located in the same project, or if the pipeline is a merge request pipeline from a forked project running in the target project, the claim is null".

If this value can be null, we ideally should pick a different value as the SAN. We fail gracefully with an Invalid Argument error, though we could provide a more precise error to users.

haydentherapper avatar Oct 29 '25 22:10 haydentherapper

Likely related: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/208180

haydentherapper avatar Oct 30 '25 16:10 haydentherapper

Ref: https://gitlab.com/gitlab-org/gitlab/-/issues/579211

haydentherapper avatar Nov 03 '25 19:11 haydentherapper

We fail gracefully with an Invalid Argument error, though we could provide a more precise error to users.

We could also start logging at least these specific failures at a lower level than ERROR

jku avatar Nov 11 '25 11:11 jku