docs: add ADR for sigstore handler

[morri-son]

What this PR does / why we need it

Create an ADR for the sigstore signing handler implementation. This ADR has been created from the comparison doc created in the spike in open-component-model/ocm-project#995

[netlify]

✅ Deploy Preview for ocm-website canceled.

Name	Link
🔨 Latest commit	72b983b
🔍 Latest deploy log	https://app.netlify.com/projects/ocm-website/deploys/69e0b7b6a0c3770008334e40

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: adfdcc02-9816-450b-b715-8bb9b2370510

📥 Commits

Reviewing files that changed from the base of the PR and between ed276c5 and 72b983b.

📒 Files selected for processing (2)

• .github/config/wordlist.txt
• docs/adr/0016_sigstore_integration.md

✅ Files skipped from review due to trivial changes (2)

• .github/config/wordlist.txt
• docs/adr/0016_sigstore_integration.md

---

📝 Walkthrough

Walkthrough

Added an ADR documenting Sigstore/Cosign keyless signing integration for the OCM CLI (choosing delegation to the external cosign binary), and appended the term ux to the repository wordlist.

Changes

Cohort / File(s)	Summary
Documentation docs/adr/0016_sigstore_integration.md	New ADR: evaluates in-process sigstore-go vs. delegating to external cosign binary; selects delegation. Specifies an Executor abstraction, on-demand download and cache location (~/.cache/ocm/cosign/...), Renovate-managed pinned versions, and use via existing ocm sign/ocm verify commands.
Configuration .github/config/wordlist.txt	Appended ux to wordlist; file now ends immediately after that entry (no trailing newline).

Sequence Diagram(s)

sequenceDiagram
    participant User
    participant OCM as OCM CLI
    participant Exec as Executor/Downloader
    participant Cache as Cache (~/.cache/ocm/cosign)
    participant Cosign as cosign (binary)
    participant Sigstore as Sigstore Services (Fulcio/Rekor)

    User->>OCM: ocm sign / ocm verify (sigstore algorithm)
    OCM->>Exec: request cosign execution
    Exec->>Cache: check for pinned cosign version
    alt cached
        Cache-->>Exec: return binary path
    else not cached
        Exec->>Cosign: download pinned cosign -> Cache
        Cache-->>Exec: store binary path
    end
    Exec->>Cosign: invoke cosign with args
    Cosign->>Sigstore: perform keyless signing/verification (Fulcio/Rekor)
    Sigstore-->>Cosign: return proof/result
    Cosign-->>Exec: return exit code & output
    Exec-->>OCM: relay result
    OCM-->>User: display success/failure

Loading

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Suggested labels

size/m

Suggested reviewers

• frewilhelm
• zkdev
• matthiasbruns

Poem

🐰 I hopped through docs and added a line,
A tiny "ux" in a file so fine.
Cosign waltzes in, keys in the sky,
I cheered with a twitch and a joyful cry! ✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title directly and clearly summarizes the main change: adding an ADR document for sigstore handler, which matches the primary file addition in the changeset.
Description check	✅ Passed	The description is directly related to the changeset, explaining that an ADR for sigstore signing handler implementation is being created based on a prior comparison document.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (4)

.github/config/wordlist.txt (1)

796-796: Consider adding a trailing newline at EOF.

The file ends without a trailing newline character. Many coding standards and POSIX conventions recommend that text files end with a newline character. This can prevent issues with certain tools and version control systems.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/config/wordlist.txt at line 796, The file ends with the token "ux"
and lacks a trailing newline; add a single newline character at the end of the
file so the last line ("ux") is terminated by a newline (ensuring
POSIX-compliant EOF newline and avoiding tooling/version-control issues).

docs/adr/0016_sigstore_integration.md (3)

38-38: Consider clarifying what SHA256 verification applies to.

The phrase "SHA256 verification" would be clearer if it explicitly states that it's verifying the integrity of the downloaded cosign binary. This helps readers understand the security mechanism.

📝 Suggested clarification

-The main trade-off (dependency on an external binary) is fully mitigated by the transparent auto-download and caching mechanism with SHA256 verification.
+The main trade-off (dependency on an external binary) is fully mitigated by the transparent auto-download and caching mechanism with SHA256 verification of the downloaded binary.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@docs/adr/0016_sigstore_integration.md` at line 38, Clarify that "SHA256
verification" refers specifically to verifying the integrity of the downloaded
cosign binary: update the sentence that currently reads "SHA256 verification" to
explicitly state something like "SHA256 verification of the downloaded cosign
binary (the auto-downloaded release artifact)" so readers know which artifact is
being checksummed and verified.

---

77-77: Consider clarifying "built-in OCM plugin" terminology.

The phrase "built-in OCM plugin" might be slightly confusing to readers—is it a built-in handler or a dynamically loaded plugin? Since the code shows handlers are retrieved via pluginManager.SigningRegistry.GetPlugin(), consider clarifying whether this will be:

• A built-in handler registered at startup, or
• A plugin that ships with the OCM binary, or
• Something else

This clarification would help readers better understand the deployment model.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@docs/adr/0016_sigstore_integration.md` at line 77, Clarify the "built-in OCM
plugin" wording in the ADR by stating exactly how the Sigstore handler is
provided: specify whether the handler is registered at startup as a built-in
handler, shipped as a plugin bundled with the OCM binary, or dynamically
loadable via pluginManager.SigningRegistry.GetPlugin(); update the sentence
about implementation to explicitly say e.g. "implemented as a built-in handler
registered at startup (not dynamically loaded), retrieved via
pluginManager.SigningRegistry.GetPlugin()" or the alternative deployment model
chosen so readers understand the registration and loading semantics.

---

75-78: Consider expanding security considerations for binary download and execution.

This ADR documents a security-critical feature (signing/verification) that will download and execute an external binary. While SHA256 verification is mentioned on Line 38, the ADR would benefit from a dedicated section on security considerations covering:

• Binary integrity verification (checksums/signatures)
• Source verification (download URL validation)
• Secure storage and permission handling of the cached binary
• Mitigation of supply chain risks
• Handling of compromised or unavailable binaries

This would strengthen the ADR and provide clear security guidance for implementation.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@docs/adr/0016_sigstore_integration.md` around lines 75 - 78, Add a dedicated
"Security Considerations" subsection to the ADR addressing binary download and
execution for the cosign integration: cover explicit binary integrity
verification (e.g., SHA256 and signed checksums referenced at Line 38), strict
source validation of the cosign download URL, secure storage and file
permissions for the cached binary under ~/.cache/ocm/cosign, supply-chain
mitigation strategies (pinning versions managed by Renovate, fallback/rollback
plans, and vendor attestations), and operational guidance for handling
compromised or unavailable binaries; reference the user-facing commands ('ocm
sign' and 'ocm verify') and the cosign binary name so implementers know where to
apply these controls.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/config/wordlist.txt:
- Line 796: The word "ux" is out of alphabetical order at the end of the
wordlist; remove the trailing "ux" entry and insert "ux" immediately after the
existing "utils" entry (i.e., place it between "utils" and "uwe") so the list
remains alphabetically sorted.

---

Nitpick comments:
In @.github/config/wordlist.txt:
- Line 796: The file ends with the token "ux" and lacks a trailing newline; add
a single newline character at the end of the file so the last line ("ux") is
terminated by a newline (ensuring POSIX-compliant EOF newline and avoiding
tooling/version-control issues).

In `@docs/adr/0016_sigstore_integration.md`:
- Line 38: Clarify that "SHA256 verification" refers specifically to verifying
the integrity of the downloaded cosign binary: update the sentence that
currently reads "SHA256 verification" to explicitly state something like "SHA256
verification of the downloaded cosign binary (the auto-downloaded release
artifact)" so readers know which artifact is being checksummed and verified.
- Line 77: Clarify the "built-in OCM plugin" wording in the ADR by stating
exactly how the Sigstore handler is provided: specify whether the handler is
registered at startup as a built-in handler, shipped as a plugin bundled with
the OCM binary, or dynamically loadable via
pluginManager.SigningRegistry.GetPlugin(); update the sentence about
implementation to explicitly say e.g. "implemented as a built-in handler
registered at startup (not dynamically loaded), retrieved via
pluginManager.SigningRegistry.GetPlugin()" or the alternative deployment model
chosen so readers understand the registration and loading semantics.
- Around line 75-78: Add a dedicated "Security Considerations" subsection to the
ADR addressing binary download and execution for the cosign integration: cover
explicit binary integrity verification (e.g., SHA256 and signed checksums
referenced at Line 38), strict source validation of the cosign download URL,
secure storage and file permissions for the cached binary under
~/.cache/ocm/cosign, supply-chain mitigation strategies (pinning versions
managed by Renovate, fallback/rollback plans, and vendor attestations), and
operational guidance for handling compromised or unavailable binaries; reference
the user-facing commands ('ocm sign' and 'ocm verify') and the cosign binary
name so implementers know where to apply these controls.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: cff585cc-3716-43f0-95a4-8c86f03bf1fa

📥 Commits

Reviewing files that changed from the base of the PR and between 860b976 and ed276c5.

📒 Files selected for processing (2)

• .github/config/wordlist.txt
• docs/adr/0016_sigstore_integration.md