How to Generate a Fulcio Certificate
In this tutorial, we are going to create and examine a Fulcio certificate to demonstrate how Fulcio can work in practice. To follow along, you will need Cosign installed on your local system. If you haven’t installed Cosign yet, you can follow the instructions described in How to Install Cosign, or you can follow one of the installation methods described in the official documentation.
Pease note that using Cosign requires Go v1.16 or higher. The Go Project provides official download instructions.
To get started, set the
COSIGN_EXPERIMENTAL variable to
1. This is required in order to enable the keyless signing flow functionality, which is currently in beta.
Next, place some text in a text file. For instance:
echo "test file contents" > test-file.txt
Next, let’s generate a key pair with Cosign:
Enter and confirm a password after running this command.
Then, use Cosign to sign this test-file.txt, outputting a Fulcio certificate named “fulcio.crt.base64”. The sign-blob subcommand allows Cosign to sign a blob. This command will open a browser tab and will require you to sign in through one of the OIDC providers: GitHub, Google, or Microsoft. This step represents the user proving their identity.
cosign sign-blob test-file.txt --output-certificate fulcio.crt.base64 --output-signature fulcio.sig
After authentication, you can close the browser tab. In your terminal, you will receive output similar to this:
Using payload from: test-file.txt Generating ephemeral keys... Retrieving signed certificate... Your browser will now be opened to: https://oauth2.sigstore.dev/auth/auth?access_type=online&client_id=sigstore&code_challenge=... Successfully verified SCT... using ephemeral certificate: -----BEGIN CERTIFICATE----- (...) -----END CERTIFICATE----- tlog entry created with index: 2494952 Signature wrote in the file fulcio.sig Certificate wrote in the file fulcio.crt.base64
The output indicates that Sigstore is using ephemeral keys to generate a certificate for
test-file.txt. The certificate, which we’ll verify in the next section, is saved to a file named