How to Inspect and Verify Fulcio Certificates
To inspect a certificate generated by Fulcio, we will first decode it with the
base64 command line tool, which is used for encoding and decoding binary to text. Base64 is widely used on the world wide web for binary-to-text encoding. You can check whether the tool is installed by checking whether
base64 --help will run. If not, install Base64 with the package manager of your choice, such as apt or Homebrew for macOS.
We will also use a third-party tool called
step to inspect the decoded certificate. To install
step, which is a tool related to public key infrastructure workflows, follow the instructions from their official documentation.
In addition to having
step installed on your machine, you should also have Cosign installed, which you can achieve by following the instructions described in How to Install Cosign.
With these prerequisites in place, you are ready to begin.
First, we’ll decode the certificate with Base64. If you don’t have a certificate ready to inspect, you can generate one by following How to Generate a Fulcio Certificate.
base64 -d < fulcio.crt.base64 > fulcio.crt
Then, inspect the certificate using
step certificate inspect fulcio.crt
A sample output is below. Pay attention especially to the
x509v3 Subject Alternative Name field, which is the e-mail associated with the party that created the signature and the issuer, which is Sigstore. The ten minute time window of validity also details the period of time for which the signature is valid.
Certificate: Data: Version: 3 (0x2) Serial Number: 445971695346061852979091305347141417164194935 (0x13ff8105719cba6ad0caa5ce9f34603ce9c477) Signature Algorithm: ECDSA-SHA384 Issuer: O=Sigstore.dev,CN=sigstore Validity Not Before: Mar 24 20:14:37 2022 UTC Not After : Mar 24 20:24:36 2022 UTC Subject: Subject Public Key Info: Public Key Algorithm: ECDSA Public-Key: (256 bit) X: 4b:fc:7d:9c:4a:56:30:75:67:fd:d6:1f:a6:f3:05: 04:ff:c8:ad:c6:2c:5f:ea:59:f9:ed:07:fa:c2:ae: 04:19 Y: 15:44:38:f3:77:87:63:91:0c:08:b6:4f:ca:67:36: 3f:38:dc:fc:bc:07:5c:8f:ec:d3:b2:31:66:a8:3d: fa:98 Curve: P-256 X509v3 extensions: X509v3 Key Usage: critical Digital Signature X509v3 Extended Key Usage: Code Signing X509v3 Basic Constraints: critical CA:FALSE X509v3 Subject Key Identifier: 5A:F0:DE:DA:CF:D0:73:F1:5A:88:B2:9F:8E:03:5F:51:6E:8C:57:19 X509v3 Authority Key Identifier: keyid:58:C0:1E:5F:91:45:A5:66:A9:7A:CC:90:A1:93:22:D0:2A:C5:C5:FA X509v3 Subject Alternative Name: critical email:firstname.lastname@example.org 184.108.40.206.4.1.57264.1.1: https://github.com/login/oauth Signature Algorithm: ECDSA-SHA384 30:65:02:31:00:98:00:17:7a:98:f2:d4:89:05:d2:7a:91:93: 73:92:e6:3f:9d:69:a5:7c:28:9f:60:72:29:e3:b7:d3:5e:2f: 1a:00:35:99:4f:92:da:02:cd:ec:83:49:f3:27:3a:39:21:02: 30:04:a6:0c:42:a4:38:d9:ac:da:8f:b5:2f:4c:f5:ad:4b:d4: c6:7d:8b:43:46:91:c1:9d:80:43:44:a9:26:26:26:0f:cf:e2: ab:aa:ef:6d:ec:1c:28:df:d3:ac:aa:fd:1b
We will then verify the certificate against the Fulcio certificate authority root, by using
step certificate verify to execute the certificate path validation algorithm for x.509 certificates.
step certificate verify fulcio.crt --roots ~/.sigstore/root/targets/fulcio_intermediate_v1.crt.pem
The final command checks the signature in the
fulcio.sig file, tracing the certificate up to the Fulcio root certificate. You’ll need to use the identity flags
--certificate-ide ntity which corresponds to the email address of the signer, and
--certificate-oidc-issuer which corresponds to the OIDC provider that the signer used. For example, a Gmail account using Google as the OIDC issuer, will be able to be verified with the following command:
cosign verify-blob test-file.txt \ --signature fulcio.sig \ --cert fulcio.crt.base64 \ --certificate-identity email@example.com \ --certificate-oidc-issuer https://accounts.google.com
You will receive output following this command.
You should receive a
Verified OK message if the signature, certificate, and identities match.