Repository files navigation

A Free-to-Use CA For Code Signing

Fulcio is a free-to-use certificate authority for issuing code signing certificatesfor an OpenID Connect (OIDC) identity, such as email address.

Fulcio only issues short-lived certificates that are valid for 10 minutes.

Fulcio is in General Availability, offering a 99.5 Availability SLO,and followssemver rules for API stability.

For uptime data on the Fulcio public instance, seehttps://status.sigstore.dev.

Fulcio's certificate chain can be obtained from theTrustBundle API, for example for the public instance(https://fulcio.sigstore.dev). To verify the public instance,you must verify the chain using Sigstore'sTUF root from thesigstore/root-signing repository).

To do this, install and usego-tuf's CLI tools:

$ go install github.com/theupdateframework/go-tuf/cmd/tuf-client@latest

Then, obtain trusted root keys for Sigstore. You will use the 5th iteration of Sigstore's TUF root to start the root of trust, due toa backwards incompatible change.

curl -o sigstore-root.json https://raw.githubusercontent.com/sigstore/root-signing/main/ceremony/2022-10-18/repository/5.root.json

Initialize the TUF client with the previously obtained root and the remote repository,https://tuf-repo-cdn.sigstore.dev,and get the current Fulcio root certificatefulcio_v1.crt.pem and intermediate certificatefulcio_intermediate_v1.crt.pem.

$ tuf-client init https://tuf-repo-cdn.sigstore.dev sigstore-root.json$ tuf-client get https://tuf-repo-cdn.sigstore.dev fulcio_v1.crt.pem-----BEGIN CERTIFICATE-----MIIB9zCCAXygAwIBAgIUALZNAPFdxHPwjeDloDwyYChAO/4wCgYIKoZIzj0EAwMwKjEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MREwDwYDVQQDEwhzaWdzdG9yZTAeFw0yMTEwMDcxMzU2NTlaFw0zMTEwMDUxMzU2NThaMCoxFTATBgNVBAoTDHNpZ3N0b3JlLmRldjERMA8GA1UEAxMIc2lnc3RvcmUwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAAT7XeFT4rb3PQGwS4IajtLk3/OlnpgangaBclYpsYBr5i+4ynB07ceb3LP0OIOZdxexX69c5iVuyJRQ+Hz05yi+UF3uBWAlHpiS5sh0+H2GHE7SXrk1EC5m1Tr19L9gg92jYzBhMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBRYwB5fkUWlZql6zJChkyLQKsXF+jAfBgNVHSMEGDAWgBRYwB5fkUWlZql6zJChkyLQKsXF+jAKBggqhkjOPQQDAwNpADBmAjEAj1nHeXZp+13NWBNa+EDsDP8G1WWg1tCMWP/WHPqpaVo0jhsweNFZgSs0eE7wYI4qAjEA2WB9ot98sIkoF3vZYdd3/VtWB5b9TNMea7Ix/stJ5TfcLLeABLE4BNJOsQ4vnBHJ-----END CERTIFICATE-----$ tuf-client get https://tuf-repo-cdn.sigstore.dev fulcio_intermediate_v1.crt.pem-----BEGIN CERTIFICATE-----MIICGjCCAaGgAwIBAgIUALnViVfnU0brJasmRkHrn/UnfaQwCgYIKoZIzj0EAwMwKjEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MREwDwYDVQQDEwhzaWdzdG9yZTAeFw0yMjA0MTMyMDA2MTVaFw0zMTEwMDUxMzU2NThaMDcxFTATBgNVBAoTDHNpZ3N0b3JlLmRldjEeMBwGA1UEAxMVc2lnc3RvcmUtaW50ZXJtZWRpYXRlMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAE8RVS/ysH+NOvuDZyPIZtilgUF9NlarYpAd9HP1vBBH1U5CV77LSS7s0ZiH4nE7Hv7ptS6LvvR/STk798LVgMzLlJ4HeIfF3tHSaexLcYpSASr1kS0N/RgBJz/9jWCiXno3sweTAOBgNVHQ8BAf8EBAMCAQYwEwYDVR0lBAwwCgYIKwYBBQUHAwMwEgYDVR0TAQH/BAgwBgEB/wIBADAdBgNVHQ4EFgQU39Ppz1YkEZb5qNjpKFWixi4YZD8wHwYDVR0jBBgwFoAUWMAeX5FFpWapesyQoZMi0CrFxfowCgYIKoZIzj0EAwMDZwAwZAIwPCsQK4DYiZYDPIaDi5HFKnfxXx6ASSVmERfsynYBiX2X6SJRnZU84/9DZdnFvvxmAjBOt6QpBlc4J/0DxvkTCqpclvziL6BCCPnjdlIB3Pu3BxsPmygUY7Ii2zbdCdliiow=-----END CERTIFICATE-----

Certificate Maker is a tool for creatingFulcio compliant certificate chains. It supports:

• Two-level chains:
  • root → leaf
  • root → intermediate
• Three-level chains:
  • root → intermediate → leaf
• Multiple KMS providers (AWS, Google Cloud, Azure, HashiCorp Vault)

For detailed usage instructions and examples, see theCertificate Maker documentation.

You can also verify signed releases (fulcio-<os>.sig) using the artifact signing key:

tuf-client get https://tuf-repo-cdn.sigstore.dev artifact.pub > artifact.pubcurl -o fulcio-release.sig -L https://github.com/sigstore/fulcio/releases/download/<version>/fulcio-<os>.sigbase64 -d fulcio-release.sig > fulcio-release.sig.decodedcurl -o fulcio-release -L https://github.com/sigstore/fulcio/releases/download/<version>/fulcio-<os>openssl dgst -sha256 -verify artifact.pub -signature fulcio-release.sig.decoded fulcio-release

The API is definedhere. The API can be accessedoverHTTP or gRPC.

Fulcio will publish issued certificates to a Certificate Transparency log (CT log).The log is hosted athttps://ctfe.sigstore.dev/test. Each year, the log will be updatedto a new log ID, for examplehttps://ctfe.sigstore.dev/2022.

The log provides an API documented inRFC 6962.

We encourage auditors to monitor this log for both integrity and specific identities.For example, auditors can monitor for when a certificate is issued for certain email addresses,which will detect misconfiguration or potential compromise of the user's identity.

Please report any vulnerabilities following sigstore'ssecurityprocess.

Fulcio is developed as part of thesigstore project.

We also use aslack channel!To check more information about Slack and other communication channels please check thecommunity repository

In addition to this README file, the docs folder contains the additional documentation:

• certificate-specification.md. This file includes the requirements for root, intermediate, and issued certificates. The document applies to all instances of Fulcio, including the production instance and all private instances.
• ctlog.md. Certificate transparency log information, including information on signed certificate timestamps and a sharding strategy for the CT log.
• how-certifcate-issuing-works.md. This document walks through the process of issuing a code signing certificate.
• hsm-support.md. Using Fulcio with a pkcs11 capable device such as SoftHSM.
• oid-info.md. Sigstore OID information.
• security-model.md. Fulcio’s security model and a discussion of short-lived certificates.
• setup.md. Setting up a local Fulcio instance

If you are making changes to any of these subjects, make sure you also edit the appropriate file listed above.