sigstore/fulcio sigstore/fulcio

  • Stars
    star
    629
  • Rank 71,454 (Top 2 %)
  • Language
    Go
  • License
    Apache License 2.0
  • Created over 3 years ago
  • Updated 3 months ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
sigstore/fulcio
github

sigstore

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Sigstore OIDC PKI

OpenSSF Scorecard

Fulcio logo

Fulcio

A Free-to-Use CA For Code Signing

Fulcio is a free-to-use certificate authority for issuing code signing certificates for an OpenID Connect (OIDC) identity, such as email address.

Fulcio only issues short-lived certificates that are valid for 10 minutes.

Public Instance

Fulcio is in General Availability, offering a 99.5 Availability SLO, and follows semver rules for API stability.

For uptime data on the Fulcio public instance, see https://status.sigstore.dev.

Fulcio's certificate chain can be obtained from the TrustBundle API, for example for the public instance (https://fulcio.sigstore.dev). To verify the public instance, you must verify the chain using Sigstore's TUF root from the sigstore/root-signing repository).

To do this, install and use go-tuf's CLI tools:

$ go install github.com/theupdateframework/go-tuf/cmd/tuf-client@latest

Then, obtain trusted root keys for Sigstore. You will use the 5th iteration of Sigstore's TUF root to start the root of trust, due to a backwards incompatible change.

curl -o sigstore-root.json https://raw.githubusercontent.com/sigstore/root-signing/main/ceremony/2022-10-18/repository/5.root.json

Initialize the TUF client with the previously obtained root and the remote repository, https://tuf-repo-cdn.sigstore.dev, and get the current Fulcio root certificate fulcio_v1.crt.pem and intermediate certificate fulcio_intermediate_v1.crt.pem.

$ tuf-client init https://tuf-repo-cdn.sigstore.dev sigstore-root.json

$ tuf-client get https://tuf-repo-cdn.sigstore.dev fulcio_v1.crt.pem
-----BEGIN CERTIFICATE-----
MIIB9zCCAXygAwIBAgIUALZNAPFdxHPwjeDloDwyYChAO/4wCgYIKoZIzj0EAwMw
KjEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MREwDwYDVQQDEwhzaWdzdG9yZTAeFw0y
MTEwMDcxMzU2NTlaFw0zMTEwMDUxMzU2NThaMCoxFTATBgNVBAoTDHNpZ3N0b3Jl
LmRldjERMA8GA1UEAxMIc2lnc3RvcmUwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAAT7
XeFT4rb3PQGwS4IajtLk3/OlnpgangaBclYpsYBr5i+4ynB07ceb3LP0OIOZdxex
X69c5iVuyJRQ+Hz05yi+UF3uBWAlHpiS5sh0+H2GHE7SXrk1EC5m1Tr19L9gg92j
YzBhMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBRY
wB5fkUWlZql6zJChkyLQKsXF+jAfBgNVHSMEGDAWgBRYwB5fkUWlZql6zJChkyLQ
KsXF+jAKBggqhkjOPQQDAwNpADBmAjEAj1nHeXZp+13NWBNa+EDsDP8G1WWg1tCM
WP/WHPqpaVo0jhsweNFZgSs0eE7wYI4qAjEA2WB9ot98sIkoF3vZYdd3/VtWB5b9
TNMea7Ix/stJ5TfcLLeABLE4BNJOsQ4vnBHJ
-----END CERTIFICATE-----

$ tuf-client get https://tuf-repo-cdn.sigstore.dev fulcio_intermediate_v1.crt.pem
-----BEGIN CERTIFICATE-----
MIICGjCCAaGgAwIBAgIUALnViVfnU0brJasmRkHrn/UnfaQwCgYIKoZIzj0EAwMw
KjEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MREwDwYDVQQDEwhzaWdzdG9yZTAeFw0y
MjA0MTMyMDA2MTVaFw0zMTEwMDUxMzU2NThaMDcxFTATBgNVBAoTDHNpZ3N0b3Jl
LmRldjEeMBwGA1UEAxMVc2lnc3RvcmUtaW50ZXJtZWRpYXRlMHYwEAYHKoZIzj0C
AQYFK4EEACIDYgAE8RVS/ysH+NOvuDZyPIZtilgUF9NlarYpAd9HP1vBBH1U5CV7
7LSS7s0ZiH4nE7Hv7ptS6LvvR/STk798LVgMzLlJ4HeIfF3tHSaexLcYpSASr1kS
0N/RgBJz/9jWCiXno3sweTAOBgNVHQ8BAf8EBAMCAQYwEwYDVR0lBAwwCgYIKwYB
BQUHAwMwEgYDVR0TAQH/BAgwBgEB/wIBADAdBgNVHQ4EFgQU39Ppz1YkEZb5qNjp
KFWixi4YZD8wHwYDVR0jBBgwFoAUWMAeX5FFpWapesyQoZMi0CrFxfowCgYIKoZI
zj0EAwMDZwAwZAIwPCsQK4DYiZYDPIaDi5HFKnfxXx6ASSVmERfsynYBiX2X6SJR
nZU84/9DZdnFvvxmAjBOt6QpBlc4J/0DxvkTCqpclvziL6BCCPnjdlIB3Pu3BxsP
mygUY7Ii2zbdCdliiow=
-----END CERTIFICATE-----

Verifying releases

You can also verify signed releases (fulcio-<os>.sig) using the artifact signing key:

tuf-client get https://tuf-repo-cdn.sigstore.dev artifact.pub > artifact.pub

curl -o fulcio-release.sig -L https://github.com/sigstore/fulcio/releases/download/<version>/fulcio-<os>.sig
base64 -d fulcio-release.sig > fulcio-release.sig.decoded

curl -o fulcio-release -L https://github.com/sigstore/fulcio/releases/download/<version>/fulcio-<os>

openssl dgst -sha256 -verify artifact.pub -signature fulcio-release.sig.decoded fulcio-release

API

The API is defined here. The API can be accessed over HTTP or gRPC.

Certificate Transparency

Fulcio will publish issued certificates to a Certificate Transparency log (CT log). The log is hosted at https://ctfe.sigstore.dev/test. Each year, the log will be updated to a new log ID, for example https://ctfe.sigstore.dev/2022.

The log provides an API documented in RFC 6962.

We encourage auditors to monitor this log for both integrity and specific identities. For example, auditors can monitor for when a certificate is issued for certain email addresses, which will detect misconfiguration or potential compromise of the user's identity.

Security

Please report any vulnerabilities following sigstore's security process.

Info

Fulcio is developed as part of the sigstore project.

We also use a slack channel! Click here for the invite link.

More Repositories

1

cosign

Code signing and transparency for containers and binaries
Go
4,300
star
2

gitsign

Keyless Git signing using Sigstore
Go
938
star
3

rekor

Software Supply Chain Transparency Log
Go
864
star
4

sigstore

Common go library shared across sigstore services and clients
Go
441
star
5

sigstore-python

A Sigstore client written in Python
Python
227
star
6

sigstore-rs

An experimental Rust crate for sigstore
Rust
162
star
7

sigstore-js

Code-signing for npm packages
TypeScript
156
star
8

policy-controller

Sigstore Policy Controller - an admission controller that can be used to enforce policy on a Kubernetes cluster based on verifiable supply-chain metadata from cosign
Go
123
star
9

cosign-installer

Cosign Github Action
114
star
10

model-transparency

Supply chain security for ML
Python
105
star
11

root-signing

TUF repository for Sigstore trust root
Go
81
star
12

k8s-manifest-sigstore

kubectl plugin for signing Kubernetes manifest YAML files with sigstore
Go
78
star
13

cosign-gatekeeper-provider

🔮 ✈️ to integrate OPA Gatekeeper's new ExternalData feature with cosign to determine whether the images are valid by verifying their signatures
Go
76
star
14

docs

Sigstore documentation
HTML
73
star
15

helm-charts

Helm charts for sigstore project
Smarty
62
star
16

helm-sigstore

Plugin for Helm to integrate the sigstore ecosystem
Go
59
star
17

timestamp-authority

RFC3161 Timestamp Authority
Go
58
star
18

scaffolding

Stuff to make standing up sigstore (esp. for testing) easier for e2e/integration testing.
HCL
57
star
19

gh-action-sigstore-python

A GitHub Action for sigstore-python
Python
46
star
20

sigstore-go

Go library for Sigstore signing and verification
Go
39
star
21

community

General sigstore community repo
38
star
22

sigstore-java

java clients for sigstore
Java
37
star
23

friends

Sigstore user stories
29
star
24

sigstore-website

Codebase for sigstore.dev
Vue
27
star
25

rekor-search-ui

Search Rekor for entries
TypeScript
26
star
26

rekor-monitor

Log monitor for Rekor to verify immutability and monitor entries
Go
24
star
27

protobuf-specs

Protocol Buffer specifications
Rust
22
star
28

sget

Go
21
star
29

rekor-operator

K8S Operator for Rekor
Go
20
star
30

sigstore-maven-plugin

sigstore maven plugin
Java
18
star
31

sget-rs

sget is a keyless safe script retrieval and execution tool
Rust
18
star
32

sigstore-go-archived

Go library for Sigstore signing and verification
Go
16
star
33

rekor-server

Cryptographic, immutable, append only software release ledger.
Go
11
star
34

rekorctl

Rekor swiss army knife
Go
9
star
35

ruby-sigstore

Rubygems sigstore signing plugin
Ruby
9
star
36

sigstore-git-verifier

A Github Action to verify that new commits are present in the sigstore transparency log.
Shell
8
star
37

sigstore-maven

sigstore maven plugin
Java
8
star
38

TSC

sigstore Technical Steering Committee
7
star
39

sigstore-conformance

Conformance testing for Sigstore clients
Python
7
star
40

sigstore.github.io

Rekor website
Sass
7
star
41

homebrew-tap

Sigstore Homebrew Tap
Ruby
6
star
42

examples

Repository to store various monitors for upstream release sites
Python
6
star
43

sigstore-blog

Codebase for sigstore.dev
CSS
6
star
44

sigstore-project-template

cookiecutter template for sigstore projects
5
star
45

github-sync

Pulumi GitHub Sync for sigstore
Go
5
star
46

sig-clients

Home of the clients SIG
5
star
47

sigstore-helm-operator

Helm based operator for the sigstore project
Smarty
4
star
48

sigstore-probers

Probers for sigstore infrastructure
Go
4
star
49

.github

Default community health files for the Sigstore organization.
4
star
50

sigstore-devops-tools

Tools & services used to help in the development flow of sigstore
Go
4
star
51

sigstore-ruby

Pure-ruby implementation of sigstore verification
Ruby
4
star
52

root-signing-staging

Staging TUF repository for Sigstore trust root
3
star
53

root-signing-practice

Root TUF Key Signing
Go
3
star
54

rekor-ansible

Ansible role to deploy the Rekor signature transparency log
2
star
55

sigstore-installer

1
star
56

fish-food

Lua
1
star
57

sig-public-good-operations

Home of the public good operations SIG
1
star