ediverse Explore the platform

Spotlight PEPPOL BIS Billing 3.0 The EU e-invoicing mandate is here — France Sept 2026, Belgium Jan 2026, Germany 2025.

SIGSTORE-FULCIO

Sigstore Fulcio CA short-lived X509 OIDC.

Definition

Fulcio workflow: (1) Client (cosign) generates ephemeral key pair (~ECDSA P-256), constructs Certificate Signing Request (CSR). (2) Client obtains OIDC token from supported OIDC issuer (GitHub OIDC, Google Identity, Microsoft Azure, GitLab CI, etc.). (3) POST CSR + OIDC token to Fulcio CA endpoint (https://fulcio.sigstore.dev/api/v2/signingCert). (4) Fulcio verifies OIDC token signature + claims, extracts identity (email for user, repository + workflow for GitHub Actions, etc.). (5) Fulcio issues short-lived X509 certificate (10-min validity, ~600 seconds) with custom Subject Alternative Name (SAN) URI containing OIDC identity (e.g., 'github-actions://owner/repo@ref'). (6) Fulcio appends issuance to Rekor transparency log (CT log inspired). (7) Client uses cert to sign artifacts immediately, no need long-term key storage. Public Good Fulcio root CA published, self-deployable Fulcio instance possible (enterprises private Fulcio + Rekor). Tech: Go implementation, BFD signed Backed by HSM (Hardware Security Module).

Origin

Fulcio CA initial design 2021 Sigstore launch ; Public Good Fulcio Production instance Linux Foundation 2021 ; ~10M certificates issued/year 2024 ; private instances enterprises Red Hat OpenShift Pipelines, Google Cloud Build, etc.

Example in context

GitHub Actions workflow Kubernetes release builds v1.30.0 image: workflow obtains OIDC token from GitHub via id-token: write permission, cosign sign sends CSR + token to Fulcio sigstore.dev, Fulcio verifies token, issues cert SAN 'github-actions://kubernetes/kubernetes@refs/tags/v1.30.0', cosign signs image, cert appended Rekor log.

Last updated: May 16, 2026