How to Inspect and Verify Fulcio Certificates
An earlier version of this material was published in the Fulcio chapter of the Linux Foundation Sigstore course.
To inspect a certificate generated by Fulcio, we will first decode it with the
base64 command line tool, which is used for encoding and decoding binary to text. Base64 is widely used on the world wide web for binary-to-text encoding. You can check whether the tool is installed by checking whether
base64 --help will run. If not, install Base64 with the package manager of your choice, such as apt or Homebrew for macOS.
We will also use a third-party tool called
step to inspect the decoded certificate. To install
step, which is a tool related to public key infrastructure workflows, follow the instructions from their official documentation.
In addition to having
step installed on your machine, you should also have Cosign installed, which you can achieve by following the instructions described in How to Install Cosign.
With these prerequisites in place, you are ready to begin.
First, we’ll decode the certificate with Base64. If you don’t have a certificate ready to inspect, you can generate one by following How to Generate a Fulcio Certificate.
base64 -d < fulcio.crt.base64 > fulcio.crt
Then, inspect the certificate using
step certificate inspect fulcio.crt
A sample output is below. Pay attention especially to the
x509v3 Subject Alternative Name field, which is the e-mail associated with the party that created the signature and the issuer, which is Sigstore. The ten minute time window of validity also details the period of time for which the signature is valid.
Certificate: Data: Version: 3 (0x2) Serial Number: 445971695346061852979091305347141417164194935 (0x13ff8105719cba6ad0caa5ce9f34603ce9c477) Signature Algorithm: ECDSA-SHA384 Issuer: O=Sigstore.dev,CN=sigstore Validity Not Before: Mar 24 20:14:37 2022 UTC Not After : Mar 24 20:24:36 2022 UTC Subject: Subject Public Key Info: Public Key Algorithm: ECDSA Public-Key: (256 bit) X: 4b:fc:7d:9c:4a:56:30:75:67:fd:d6:1f:a6:f3:05: 04:ff:c8:ad:c6:2c:5f:ea:59:f9:ed:07:fa:c2:ae: 04:19 Y: 15:44:38:f3:77:87:63:91:0c:08:b6:4f:ca:67:36: 3f:38:dc:fc:bc:07:5c:8f:ec:d3:b2:31:66:a8:3d: fa:98 Curve: P-256 X509v3 extensions: X509v3 Key Usage: critical Digital Signature X509v3 Extended Key Usage: Code Signing X509v3 Basic Constraints: critical CA:FALSE X509v3 Subject Key Identifier: 5A:F0:DE:DA:CF:D0:73:F1:5A:88:B2:9F:8E:03:5F:51:6E:8C:57:19 X509v3 Authority Key Identifier: keyid:58:C0:1E:5F:91:45:A5:66:A9:7A:CC:90:A1:93:22:D0:2A:C5:C5:FA X509v3 Subject Alternative Name: critical email:email@example.com 22.214.171.124.4.1.57264.1.1: https://github.com/login/oauth Signature Algorithm: ECDSA-SHA384 30:65:02:31:00:98:00:17:7a:98:f2:d4:89:05:d2:7a:91:93: 73:92:e6:3f:9d:69:a5:7c:28:9f:60:72:29:e3:b7:d3:5e:2f: 1a:00:35:99:4f:92:da:02:cd:ec:83:49:f3:27:3a:39:21:02: 30:04:a6:0c:42:a4:38:d9:ac:da:8f:b5:2f:4c:f5:ad:4b:d4: c6:7d:8b:43:46:91:c1:9d:80:43:44:a9:26:26:26:0f:cf:e2: ab:aa:ef:6d:ec:1c:28:df:d3:ac:aa:fd:1b
We will then verify the certificate against the Fulcio certificate authority root, by using
step certificate verify to execute the certificate path validation algorithm for x.509 certificates.
step certificate verify fulcio.crt --roots ~/.sigstore/root/targets/fulcio_intermediate_v1.crt.pem
The final command checks the signature in the
fulcio.sig file, tracing the certificate up to the Fulcio root certificate.
cosign verify-blob test-file.txt --signature fulcio.sig --cert fulcio.crt.base64
You will receive output following this command.
tlog entry verified with uuid: 727e2834d2af9389bbc49ebd798050a72698fec4fabff1433cd83071b4a6914d index: 2494952 Verified OK
You should receive a
Verified OK message along with the UUID and index number of the certificate within Fulcio.