Fulcio
Sigstore OIDC PKI
| Category | Supply Chain Security |
|---|---|
| Community Stars | 669 |
| Last Commit | last week |
| Last page update | 19 days ago |
| Pricing Details | Free and open source under Apache License 2.0. |
| Target Audience | Developers and organizations looking for secure code signing solutions. |
Fulcio is designed for securely issuing code signing certificates by leveraging OpenID Connect (OIDC) identities. This approach ensures that certificates are tied to the authentic identity of the requester, enhancing the trust and integrity of the code signing process.
Technically, Fulcio's architecture relies on OIDC tokens to authenticate requests. These tokens, which are JSON Web Tokens (JWTs), must include specific claims such as aud, iss, exp, and iat, as well as additional claims like email_verified and email to validate the user's identity.
The system uses a federated OIDC identity provider, Dex, to handle authentication from various identity providers. The extracted claims from the OIDC tokens are included in the subject alternative name (SAN) field of the issued certificates, ensuring that the identity information is embedded in the certificate itself.
Operationally, Fulcio can be set up using docker-compose or by running the Fulcio binary directly. It supports various signing backends, including on-disk file-based, KMS, and ephemeral CA, each with its own configuration and security considerations. For example, the on-disk file-based signing backend loads an encrypted key and certificate chain, which can be reloaded without a server reboot.
Key operational considerations include the need to verify the certificate chain using Sigstore's TUF root and ensuring that the certificates are published to a Certificate Transparency (CT) log. This log, hosted at https://ctfe.sigstore.dev, provides an audit trail and helps in detecting misconfigurations or potential compromises of user identities.
From a technical details perspective, Fulcio's API can be accessed over HTTP or gRPC, and it supports embedded Signed Certificate Timestamps (SCTs) in the certificates issued, which simplifies verification of proof of inclusion in the CT log. The system also has a 99.5% Availability SLO for its public instance, with detailed uptime data available.
In summary, Fulcio's technical architecture and operational setup are designed to provide a secure, transparent, and reliable mechanism for issuing code signing certificates, leveraging OIDC identities and Certificate Transparency logs to ensure the integrity of the code signing process.