Sigstore: Cosign, Fulcio & Rekor

Keyless signing and the transparency log.

Advanced14 min · lesson 10 of 18

Sigstore is the open-source project that made signing artifacts practical by removing the hardest part: managing keys. It has three pieces. Cosign is the tool that signs and verifies (containers, blobs, attestations). Fulcio is a certificate authority that issues short-lived signing certificates tied to an OIDC identity. Rekor is a public, append-only transparency log that records every signature. Together they enable keyless signing — you sign as "this identity," with no long-lived private key to protect or leak.

How keyless signing works
1authenticate
OIDC identity (CI / person)
2Fulcio
issues a short-lived cert for that identity
3sign
Cosign signs with the ephemeral key
4Rekor
logs the signature — publicly, immutably
The signing key lives for minutes and is discarded. Trust is anchored in the identity + the transparency log, not a stored key.

Why keyless changes the game

Traditional signing keys are a liability, especially in CI: a stored private key is one more secret that can leak, and if it does, an attacker can sign anything as you until you notice and rotate. Keyless signing removes the standing key entirely — Fulcio issues a certificate bound to your verified OIDC identity, valid for minutes, used once, then gone. The signature’s trust comes from "this was signed by the identity gitlab-ci@acme building project X," verifiable forever via the Rekor log, with nothing durable for an attacker to steal.

terminal
$ cosign sign --yes "$IMAGE@$DIGEST" # OIDC → Fulcio cert → sign → Rekor entry
# verify, asserting the identity (not merely "is it signed"):
$ cosign verify \
--certificate-identity-regexp "https://gitlab.acme.internal/acme/.*" \
--certificate-oidc-issuer https://gitlab.acme.internal \
"$IMAGE@$DIGEST"

Rekor: the transparency log

Rekor is what makes the ephemeral-key model auditable. Every signature is recorded in a public, tamper-evident, append-only log, so you can prove a signature existed at a point in time and detect if signing was misused — much like certificate transparency for the web. It means "was anything ever signed as our identity that we did not expect?" is an answerable question, and it removes the need to trust that a signature was not backdated or forged after the fact.

Signing is nothing without verification
This is the recurring truth of the whole course: Cosign signing establishes a verifiable claim, but only the verify step — asserting the exact identity and issuer you expect, ideally enforced automatically at admission — turns it into protection. And always sign the immutable digest, never a tag; a signature on a mutable tag proves nothing about the bytes that actually run.