Fulcio & keyless signing
Short-lived certs bound to OIDC identity.
Sigstore’s big idea is keyless signing — removing the long-lived private key that teams struggle to protect. Fulcio is the piece that makes it possible: a certificate authority that vouches for who is signing, based on an identity you already have.
Short-lived certs bound to OIDC identity
Instead of holding a persistent signing key, the signer generates an ephemeral key pair, proves its identity to Fulcio with an OIDC token (a CI workflow identity, a corporate SSO login), and receives a short-lived certificate — valid for minutes — that binds that identity to the ephemeral public key. It signs, the certificate and signature are recorded, and the private key is discarded. There is no long-lived secret to store, rotate, or leak: the "key" exists only for the moment of signing, and trust flows from the verified identity rather than from key custody.
# signer (CI job) Fulcio (CA) Rekor (log)# │ OIDC token (identity) ──────▶ verify + issue │# │ ◀────── short-lived cert (identity ↔ ephemeral key) │# │ sign artifact with ephemeral key │# │ cert + signature ──────────────────────────────────▶ record# │ discard the private key## The signer never manages a persistent key; identity + log inclusion are the trust.
Why this changes signing adoption
Key management is the reason most teams never signed anything — generating, protecting, rotating, and revoking signing keys is hard and error-prone, and a leaked key silently undermines everything. Keyless removes that entire burden: the certificate is ephemeral, the identity is verified per-signature, and there is nothing durable to steal. In CI this pairs perfectly with the pipeline’s OIDC workflow identity, so a signature is provably "made by acme/api’s release workflow on main" — an identity a verifier can pin. The tradeoff is a dependency on the OIDC provider and the Sigstore services, which the transparency log helps keep honest.