Fulcio & keyless signing

Short-lived certs bound to OIDC identity.

Advanced30 min · lesson 8 of 15

Sigstore’s big idea is keyless signing — removing the long-lived private key that teams struggle to protect. Fulcio is the piece that makes it possible: a certificate authority that vouches for who is signing, based on an identity you already have.

Short-lived certs bound to OIDC identity

Instead of holding a persistent signing key, the signer generates an ephemeral key pair, proves its identity to Fulcio with an OIDC token (a CI workflow identity, a corporate SSO login), and receives a short-lived certificate — valid for minutes — that binds that identity to the ephemeral public key. It signs, the certificate and signature are recorded, and the private key is discarded. There is no long-lived secret to store, rotate, or leak: the "key" exists only for the moment of signing, and trust flows from the verified identity rather than from key custody.

the keyless signing flow
# signer (CI job) Fulcio (CA) Rekor (log)
# │ OIDC token (identity) ──────▶ verify + issue │
# │ ◀────── short-lived cert (identity ↔ ephemeral key) │
# │ sign artifact with ephemeral key │
# │ cert + signature ──────────────────────────────────▶ record
# │ discard the private key
#
# The signer never manages a persistent key; identity + log inclusion are the trust.

Why this changes signing adoption

Key management is the reason most teams never signed anything — generating, protecting, rotating, and revoking signing keys is hard and error-prone, and a leaked key silently undermines everything. Keyless removes that entire burden: the certificate is ephemeral, the identity is verified per-signature, and there is nothing durable to steal. In CI this pairs perfectly with the pipeline’s OIDC workflow identity, so a signature is provably "made by acme/api’s release workflow on main" — an identity a verifier can pin. The tradeoff is a dependency on the OIDC provider and the Sigstore services, which the transparency log helps keep honest.

Keyless vs long-lived key
long-lived key
store + protect + rotate
operational burden
leak = silent compromise
hard to detect/revoke
keyless (Fulcio)
ephemeral key
exists only at signing
identity-bound cert
trust from verified OIDC identity
nothing durable to steal
no key custody
Keyless trades key management for identity verification + a public log. It is why signing finally became practical at scale.
Keyless still needs identity verification at check time
Removing the key does not remove the need to verify — a Fulcio certificate proves an identity signed, but you must still assert which identity you accept. Pin the OIDC issuer and certificate subject in your verification policy; keyless without identity pinning trusts anyone who can get a Fulcio cert (i.e. anyone).