A Free-to-Use CA For Code Signing
Fulcio is a free-to-use certificate authority for issuing code signing certificates for an OpenID Connect (OIDC) identity, such as email address.
Fulcio only issues short-lived certificates that are valid for 10 minutes.
Fulcio is in General Availability, offering a 99.5 Availability SLO, and follows semver rules for API stability.
For uptime data on the Fulcio public instance, see https://status.sigstore.dev.
Fulcio's certificate chain can be obtained from the TrustBundle API, for example for the public instance
(https://fulcio.sigstore.dev). To verify the public instance,
you must verify the chain using Sigstore's TUF root from the
sigstore/root-signing repository).
To do this, install and use go-tuf's CLI tools:
$ go install github.com/theupdateframework/go-tuf/cmd/tuf-client@latest
Then, obtain trusted root keys for Sigstore. You will use the 5th iteration of Sigstore's TUF root to start the root of trust, due to a backwards incompatible change.
curl -o sigstore-root.json https://raw.githubusercontent.com/sigstore/root-signing/main/ceremony/2022-10-18/repository/5.root.json
Initialize the TUF client with the previously obtained root and the remote repository, https://tuf-repo-cdn.sigstore.dev,
and get the current Fulcio root certificate fulcio_v1.crt.pem and intermediate certificate fulcio_intermediate_v1.crt.pem.
$ tuf-client init https://tuf-repo-cdn.sigstore.dev sigstore-root.json
$ tuf-client get https://tuf-repo-cdn.sigstore.dev fulcio_v1.crt.pem
-----BEGIN CERTIFICATE-----
MIIB9zCCAXygAwIBAgIUALZNAPFdxHPwjeDloDwyYChAO/4wCgYIKoZIzj0EAwMw
KjEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MREwDwYDVQQDEwhzaWdzdG9yZTAeFw0y
MTEwMDcxMzU2NTlaFw0zMTEwMDUxMzU2NThaMCoxFTATBgNVBAoTDHNpZ3N0b3Jl
LmRldjERMA8GA1UEAxMIc2lnc3RvcmUwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAAT7
XeFT4rb3PQGwS4IajtLk3/OlnpgangaBclYpsYBr5i+4ynB07ceb3LP0OIOZdxex
X69c5iVuyJRQ+Hz05yi+UF3uBWAlHpiS5sh0+H2GHE7SXrk1EC5m1Tr19L9gg92j
YzBhMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBRY
wB5fkUWlZql6zJChkyLQKsXF+jAfBgNVHSMEGDAWgBRYwB5fkUWlZql6zJChkyLQ
KsXF+jAKBggqhkjOPQQDAwNpADBmAjEAj1nHeXZp+13NWBNa+EDsDP8G1WWg1tCM
WP/WHPqpaVo0jhsweNFZgSs0eE7wYI4qAjEA2WB9ot98sIkoF3vZYdd3/VtWB5b9
TNMea7Ix/stJ5TfcLLeABLE4BNJOsQ4vnBHJ
-----END CERTIFICATE-----
$ tuf-client get https://tuf-repo-cdn.sigstore.dev fulcio_intermediate_v1.crt.pem
-----BEGIN CERTIFICATE-----
MIICGjCCAaGgAwIBAgIUALnViVfnU0brJasmRkHrn/UnfaQwCgYIKoZIzj0EAwMw
KjEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MREwDwYDVQQDEwhzaWdzdG9yZTAeFw0y
MjA0MTMyMDA2MTVaFw0zMTEwMDUxMzU2NThaMDcxFTATBgNVBAoTDHNpZ3N0b3Jl
LmRldjEeMBwGA1UEAxMVc2lnc3RvcmUtaW50ZXJtZWRpYXRlMHYwEAYHKoZIzj0C
AQYFK4EEACIDYgAE8RVS/ysH+NOvuDZyPIZtilgUF9NlarYpAd9HP1vBBH1U5CV7
7LSS7s0ZiH4nE7Hv7ptS6LvvR/STk798LVgMzLlJ4HeIfF3tHSaexLcYpSASr1kS
0N/RgBJz/9jWCiXno3sweTAOBgNVHQ8BAf8EBAMCAQYwEwYDVR0lBAwwCgYIKwYB
BQUHAwMwEgYDVR0TAQH/BAgwBgEB/wIBADAdBgNVHQ4EFgQU39Ppz1YkEZb5qNjp
KFWixi4YZD8wHwYDVR0jBBgwFoAUWMAeX5FFpWapesyQoZMi0CrFxfowCgYIKoZI
zj0EAwMDZwAwZAIwPCsQK4DYiZYDPIaDi5HFKnfxXx6ASSVmERfsynYBiX2X6SJR
nZU84/9DZdnFvvxmAjBOt6QpBlc4J/0DxvkTCqpclvziL6BCCPnjdlIB3Pu3BxsP
mygUY7Ii2zbdCdliiow=
-----END CERTIFICATE-----
You can also verify signed releases (fulcio-<os>.sig) using the artifact signing key:
tuf-client get https://tuf-repo-cdn.sigstore.dev artifact.pub > artifact.pub
curl -o fulcio-release.sig -L https://github.com/sigstore/fulcio/releases/download/<version>/fulcio-<os>.sig
base64 -d fulcio-release.sig > fulcio-release.sig.decoded
curl -o fulcio-release -L https://github.com/sigstore/fulcio/releases/download/<version>/fulcio-<os>
openssl dgst -sha256 -verify artifact.pub -signature fulcio-release.sig.decoded fulcio-release
The API is defined here. The API can be accessed over HTTP or gRPC.
Fulcio will publish issued certificates to a Certificate Transparency log (CT log).
The log is hosted at https://ctfe.sigstore.dev/test. Each year, the log will be updated
to a new log ID, for example https://ctfe.sigstore.dev/2022.
The log provides an API documented in RFC 6962.
We encourage auditors to monitor this log for both integrity and specific identities. For example, auditors can monitor for when a certificate is issued for certain email addresses, which will detect misconfiguration or potential compromise of the user's identity.
Please report any v 90DA ulnerabilities following sigstore's security process.
Fulcio is developed as part of the sigstore project.
We also use a slack channel! To check more information about Slack and other communication channels please check the community repository
In addition to this README file, the docs folder contains the additional documentation:
- certificate-specification.md. This file includes the requirements for root, intermediate, and issued certificates. The document applies to all instances of Fulcio, including the production instance and all private instances.
- ctlog.md. Certificate transparency log information, including information on signed certificate timestamps and a sharding strategy for the CT log.
- how-certifcate-issuing-works.md. This document walks through the process of issuing a code signing certificate.
- hsm-support.md. Using Fulcio with a pkcs11 capable device such as SoftHSM.
- oid-info.md. Sigstore OID information.
- security-model.md. Fulcio’s security model and a discussion of short-lived certificates.
- setup.md. Setting up a local Fulcio instance
If you are making changes to any of these subjects, make sure you also edit the appropriate file listed above.