{"id":13819757,"url":"https://github.com/sigstore/fulcio","last_synced_at":"2025-05-16T07:32:00.053Z","repository":{"id":37067654,"uuid":"341596960","full_name":"sigstore/fulcio","owner":"sigstore","description":"Sigstore OIDC PKI","archived":false,"fork":false,"pushed_at":"2024-04-12T21:56:23.000Z","size":12141,"stargazers_count":599,"open_issues_count":47,"forks_count":125,"subscribers_count":17,"default_branch":"main","last_synced_at":"2024-04-13T05:49:20.046Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/sigstore.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":"CODEOWNERS","security":"docs/security-model.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null}},"created_at":"2021-02-23T15:19:44.000Z","updated_at":"2024-08-23T17:21:43.420Z","dependencies_parsed_at":"2023-02-19T08:46:17.943Z","dependency_job_id":"e87258cb-1830-47ef-b3cc-1e93f44ee65b","html_url":"https://github.com/sigstore/fulcio","commit_stats":null,"previous_names":[],"tags_count":33,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sigstore%2Ffulcio","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sigstore%2Ffulcio/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sigstore%2Ffulcio/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sigstore%2Ffulcio/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/sigstore","download_url":"https://codeload.github.com/sigstore/fulcio/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":225413742,"owners_count":17470617,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-04T08:00:52.612Z","updated_at":"2025-05-16T07:32:00.047Z","avatar_url":"https://github.com/sigstore.png","language":"Go","readme":"[![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/sigstore/fulcio/badge)](https://api.securityscorecards.dev/projects/github.com/sigstore/fulcio)\n\n\u003cp align=\"center\"\u003e\n  \u003cimg style=\"max-width: 100%;width: 300px;margin-top: 20px;\" src=\"https://raw.githubusercontent.com/sigstore/community/main/artwork/fulcio/horizontal/color/sigstore_fulcio-horizontal-color.svg\" alt=\"Fulcio logo\"/\u003e\n\u003c/p\u003e\n\n# Fulcio\n\n_A Free-to-Use CA For Code Signing_\n\nFulcio is a free-to-use certificate authority for issuing code signing certificates\nfor an OpenID Connect (OIDC) identity, such as email address.\n\nFulcio only issues short-lived certificates that are valid for 10 minutes.\n\n## Public Instance\n\nFulcio is in General Availability, offering a 99.5 Availability SLO,\nand follows [semver rules](https://semver.org/) for API stability.\n\nFor uptime data on the Fulcio public instance, see [https://status.sigstore.dev](https://status.sigstore.dev).\n\nFulcio's certificate chain can be obtained from the `TrustBundle` API, for example for the public instance\n([https://fulcio.sigstore.dev](https://fulcio.sigstore.dev/api/v2/trustBundle)). To verify the public instance,\nyou must verify the chain using Sigstore's [TUF](https://theupdateframework.io/) root from the\n[sigstore/root-signing](https://github.com/sigstore/root-signing) repository).\n\nTo do this, install and use [go-tuf](https://github.com/theupdateframework/go-tuf)'s CLI tools:\n\n```\n$ go install github.com/theupdateframework/go-tuf/cmd/tuf-client@latest\n```\n\nThen, obtain trusted root keys for Sigstore. You will use the 5th iteration of Sigstore's TUF root to start the root of trust, due to\na backwards incompatible change.\n\n```\ncurl -o sigstore-root.json https://raw.githubusercontent.com/sigstore/root-signing/main/ceremony/2022-10-18/repository/5.root.json\n```\n\nInitialize the TUF client with the previously obtained root and the remote repository, https://tuf-repo-cdn.sigstore.dev,\nand get the current Fulcio root certificate `fulcio_v1.crt.pem` and intermediate certificate `fulcio_intermediate_v1.crt.pem`.\n```\n$ tuf-client init https://tuf-repo-cdn.sigstore.dev sigstore-root.json\n\n$ tuf-client get https://tuf-repo-cdn.sigstore.dev fulcio_v1.crt.pem\n-----BEGIN CERTIFICATE-----\nMIIB9zCCAXygAwIBAgIUALZNAPFdxHPwjeDloDwyYChAO/4wCgYIKoZIzj0EAwMw\nKjEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MREwDwYDVQQDEwhzaWdzdG9yZTAeFw0y\nMTEwMDcxMzU2NTlaFw0zMTEwMDUxMzU2NThaMCoxFTATBgNVBAoTDHNpZ3N0b3Jl\nLmRldjERMA8GA1UEAxMIc2lnc3RvcmUwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAAT7\nXeFT4rb3PQGwS4IajtLk3/OlnpgangaBclYpsYBr5i+4ynB07ceb3LP0OIOZdxex\nX69c5iVuyJRQ+Hz05yi+UF3uBWAlHpiS5sh0+H2GHE7SXrk1EC5m1Tr19L9gg92j\nYzBhMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBRY\nwB5fkUWlZql6zJChkyLQKsXF+jAfBgNVHSMEGDAWgBRYwB5fkUWlZql6zJChkyLQ\nKsXF+jAKBggqhkjOPQQDAwNpADBmAjEAj1nHeXZp+13NWBNa+EDsDP8G1WWg1tCM\nWP/WHPqpaVo0jhsweNFZgSs0eE7wYI4qAjEA2WB9ot98sIkoF3vZYdd3/VtWB5b9\nTNMea7Ix/stJ5TfcLLeABLE4BNJOsQ4vnBHJ\n-----END CERTIFICATE-----\n\n$ tuf-client get https://tuf-repo-cdn.sigstore.dev fulcio_intermediate_v1.crt.pem\n-----BEGIN CERTIFICATE-----\nMIICGjCCAaGgAwIBAgIUALnViVfnU0brJasmRkHrn/UnfaQwCgYIKoZIzj0EAwMw\nKjEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MREwDwYDVQQDEwhzaWdzdG9yZTAeFw0y\nMjA0MTMyMDA2MTVaFw0zMTEwMDUxMzU2NThaMDcxFTATBgNVBAoTDHNpZ3N0b3Jl\nLmRldjEeMBwGA1UEAxMVc2lnc3RvcmUtaW50ZXJtZWRpYXRlMHYwEAYHKoZIzj0C\nAQYFK4EEACIDYgAE8RVS/ysH+NOvuDZyPIZtilgUF9NlarYpAd9HP1vBBH1U5CV7\n7LSS7s0ZiH4nE7Hv7ptS6LvvR/STk798LVgMzLlJ4HeIfF3tHSaexLcYpSASr1kS\n0N/RgBJz/9jWCiXno3sweTAOBgNVHQ8BAf8EBAMCAQYwEwYDVR0lBAwwCgYIKwYB\nBQUHAwMwEgYDVR0TAQH/BAgwBgEB/wIBADAdBgNVHQ4EFgQU39Ppz1YkEZb5qNjp\nKFWixi4YZD8wHwYDVR0jBBgwFoAUWMAeX5FFpWapesyQoZMi0CrFxfowCgYIKoZI\nzj0EAwMDZwAwZAIwPCsQK4DYiZYDPIaDi5HFKnfxXx6ASSVmERfsynYBiX2X6SJR\nnZU84/9DZdnFvvxmAjBOt6QpBlc4J/0DxvkTCqpclvziL6BCCPnjdlIB3Pu3BxsP\nmygUY7Ii2zbdCdliiow=\n-----END CERTIFICATE-----\n```\n\n### Certificate Maker\n\nCertificate Maker is a tool for creating [Fulcio compliant certificate chains](docs/certificate-specification.md). It supports:\n\n* Two-level chains:\n  * root → leaf\n  * root → intermediate\n* Three-level chains:\n  * root → intermediate → leaf\n* Multiple KMS providers (AWS, Google Cloud, Azure, HashiCorp Vault)\n\nFor detailed usage instructions and examples, see the [Certificate Maker documentation](docs/certificate-maker.md).\n\n### Verifying releases\n\nYou can also verify signed releases (`fulcio-\u003cos\u003e.sig`) using the artifact signing key:\n\n```\ntuf-client get https://tuf-repo-cdn.sigstore.dev artifact.pub \u003e artifact.pub\n\ncurl -o fulcio-release.sig -L https://github.com/sigstore/fulcio/releases/download/\u003cversion\u003e/fulcio-\u003cos\u003e.sig\nbase64 -d fulcio-release.sig \u003e fulcio-release.sig.decoded\n\ncurl -o fulcio-release -L https://github.com/sigstore/fulcio/releases/download/\u003cversion\u003e/fulcio-\u003cos\u003e\n\nopenssl dgst -sha256 -verify artifact.pub -signature fulcio-release.sig.decoded fulcio-release\n```\n\n\n## API\n\nThe API is defined [here](./fulcio.proto). The API can be accessed\nover [HTTP](https://www.sigstore.dev/swagger/?urls.primaryName=Fulcio) or gRPC.\n\n## Certificate Transparency\n\nFulcio will publish issued certificates to a Certificate Transparency log (CT log).\nThe log is hosted at `https://ctfe.sigstore.dev/test`. Each year, the log will be updated\nto a new log ID, for example `https://ctfe.sigstore.dev/2022`.\n\nThe log provides an API documented in [RFC 6962](https://datatracker.ietf.org/doc/rfc6962/).\n\nWe encourage auditors to monitor this log for both integrity and specific identities.\nFor example, auditors can monitor for when a certificate is issued for certain email addresses,\nwhich will detect misconfiguration or potential compromise of the user's identity.\n\n## Security\n\nPlease report any vulnerabilities following sigstore's [security\nprocess](https://github.com/sigstore/.github/blob/main/SECURITY.md).\n\n## Info\n\nFulcio is developed as part of the [`sigstore`](https://sigstore.dev) project.\n\nWe also use a [slack channel](https://sigstore.slack.com)!\nTo check more information about Slack and other communication channels please check the [community repository](https://github.com/sigstore/community?tab=readme-ov-file#slack)\n\n## Additional Documentation\n\nIn addition to this README file, the docs folder contains the additional documentation:\n\n- **certificate-specification.md**. This file includes the requirements for root, intermediate, and issued certificates.   The document applies to all instances of Fulcio, including the production instance and all private instances.\n- **ctlog.md**. Certificate transparency log information, including information on signed certificate timestamps and a sharding strategy for the  CT log.\n- **how-certifcate-issuing-works.md**. This document walks through the process of issuing a code signing certificate.  \n- **hsm-support.md**. Using Fulcio with a pkcs11 capable device such as SoftHSM.\n- **oid-info.md**. Sigstore OID information.  \n- **security-model.md**. Fulcio’s security model and a discussion of short-lived certificates.\n- **setup.md**. Setting up a local Fulcio instance\n\nIf you are making changes to any of these subjects, make sure you also edit the appropriate file listed above.\n\n","funding_links":[],"categories":["others","Signing Artefacts"],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsigstore%2Ffulcio","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsigstore%2Ffulcio","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsigstore%2Ffulcio/lists"}