How to Inspect and Verify Fulcio Certificates

Confirming the authenticity of a Fulcio certificate for a more secure software supply chain

An earlier version of this material was published in the Fulcio chapter of the Linux Foundation Sigstore course.

To inspect a certificate generated by Fulcio, we will first decode it with the base64 command line tool, which is used for encoding and decoding binary to text. Base64 is widely used on the world wide web for binary-to-text encoding. You can check whether the tool is installed by checking whether base64 --help will run. If not, install Base64 with the package manager of your choice, such as apt or Homebrew for macOS.

We will also use a third-party tool called step to inspect the decoded certificate. To install step, which is a tool related to public key infrastructure workflows, follow the instructions from their official documentation.

In addition to having base64 and step installed on your machine, you should also have Cosign installed, which you can achieve by following the instructions described in How to Install Cosign.

With these prerequisites in place, you are ready to begin.

First, we’ll decode the certificate with Base64. If you don’t have a certificate ready to inspect, you can generate one by following How to Generate a Fulcio Certificate.

base64 -d < fulcio.crt.base64 > fulcio.crt

Then, inspect the certificate using step’s inspect command.

step certificate inspect fulcio.crt

A sample output is below. Pay attention especially to the x509v3 Subject Alternative Name field, which is the e-mail associated with the party that created the signature and the issuer, which is Sigstore. The ten minute time window of validity also details the period of time for which the signature is valid.

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 445971695346061852979091305347141417164194935 (0x13ff8105719cba6ad0caa5ce9f34603ce9c477)
    Signature Algorithm: ECDSA-SHA384
        Issuer: O=Sigstore.dev,CN=sigstore
        Validity
            Not Before: Mar 24 20:14:37 2022 UTC
            Not After : Mar 24 20:24:36 2022 UTC
        Subject:
        Subject Public Key Info:
            Public Key Algorithm: ECDSA
                Public-Key: (256 bit)
                X:
                    4b:fc:7d:9c:4a:56:30:75:67:fd:d6:1f:a6:f3:05:
                    04:ff:c8:ad:c6:2c:5f:ea:59:f9:ed:07:fa:c2:ae:
                    04:19
                Y:
                    15:44:38:f3:77:87:63:91:0c:08:b6:4f:ca:67:36:
                    3f:38:dc:fc:bc:07:5c:8f:ec:d3:b2:31:66:a8:3d:
                    fa:98
                Curve: P-256
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature
            X509v3 Extended Key Usage:
                Code Signing
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Subject Key Identifier:
                5A:F0:DE:DA:CF:D0:73:F1:5A:88:B2:9F:8E:03:5F:51:6E:8C:57:19
            X509v3 Authority Key Identifier:
                keyid:58:C0:1E:5F:91:45:A5:66:A9:7A:CC:90:A1:93:22:D0:2A:C5:C5:FA
            X509v3 Subject Alternative Name: critical
                email:email@example.com
            1.3.6.1.4.1.57264.1.1:
                https://github.com/login/oauth
    Signature Algorithm: ECDSA-SHA384
         30:65:02:31:00:98:00:17:7a:98:f2:d4:89:05:d2:7a:91:93:
         73:92:e6:3f:9d:69:a5:7c:28:9f:60:72:29:e3:b7:d3:5e:2f:
         1a:00:35:99:4f:92:da:02:cd:ec:83:49:f3:27:3a:39:21:02:
         30:04:a6:0c:42:a4:38:d9:ac:da:8f:b5:2f:4c:f5:ad:4b:d4:
         c6:7d:8b:43:46:91:c1:9d:80:43:44:a9:26:26:26:0f:cf:e2:
         ab:aa:ef:6d:ec:1c:28:df:d3:ac:aa:fd:1b

We will then verify the certificate against the Fulcio certificate authority root, by using step certificate verify to execute the certificate path validation algorithm for x.509 certificates.

step certificate verify fulcio.crt --roots ~/.sigstore/root/targets/fulcio_intermediate_v1.crt.pem

The final command checks the signature in the fulcio.sig file, tracing the certificate up to the Fulcio root certificate. You’ll need to use the identity flags --certificate-ide ntity which corresponds to the email address of the signer, and --certificate-oidc-issuer which corresponds to the OIDC provider that the signer used. For example, a Gmail account using Google as the OIDC issuer, will be able to be verified with the following command:

cosign verify-blob test-file.txt \
  --signature fulcio.sig \
  --cert fulcio.crt.base64 \
  --certificate-identity username@gmail.com \
  --certificate-oidc-issuer https://accounts.google.com

You will receive output following this command.

You should receive a Verified OK message if the signature, certificate, and identities match.