Solutions
Audit & Optimization Platform Design Automation Team Structure
Documentation Blog
Get Started

Fulcio & Rekor

Fulcio and Rekor are the infrastructure components that power Sigstore’s keyless signing. Fulcio issues certificates, and Rekor maintains a transparency log of all signatures.

Fulcio

Fulcio is a certificate authority (CA) that issues short-lived certificates for code signing based on OIDC authentication.

How Fulcio Works

sequenceDiagram participant User participant Cosign participant OIDC as OIDC Provider participant Fulcio participant Rekor User->>Cosign: Sign image Cosign->>OIDC: Authenticate OIDC-->>Cosign: ID Token Cosign->>Fulcio: Request certificate (with ID token) Fulcio->>Fulcio: Verify ID token Fulcio-->>Cosign: Issue certificate Cosign->>Cosign: Sign image Cosign->>Rekor: Store signature

Fulcio Features

  • OIDC-based - Uses OIDC for identity verification
  • Short-lived certificates - Certificates expire quickly
  • No key management - Developers don’t manage keys
  • Public infrastructure - Free public instance available

Rekor

Rekor is a transparency log that stores signed metadata about artifacts. It provides an immutable, auditable record of all signatures.

How Rekor Works

flowchart TD A[Cosign Signs Image] --> B[Create Signature Entry] B --> C[Submit to Rekor] C --> D[Rekor Stores Entry] D --> E[Return Entry UUID] E --> F[Signature Logged] style A fill:#e1f5ff style D fill:#fff4e1 style F fill:#e8f5e9

Rekor Features

  • Transparency log - Public record of all signatures
  • Immutable - Entries cannot be modified
  • Queryable - Search for signatures
  • Verifiable - Verify log integrity

Using Public Infrastructure

Sigstore provides public instances:

  • Fulcio: https://fulcio.sigstore.dev
  • Rekor: https://rekor.sigstore.dev

These are free to use and suitable for most use cases.

Self-Hosted Deployment

Deploy Fulcio

kubectl apply -f https://github.com/sigstore/fulcio/releases/latest/download/fulcio.yaml

Deploy Rekor

kubectl apply -f https://github.com/sigstore/rekor/releases/latest/download/rekor.yaml

Best Practices

  1. Use public infrastructure - For most use cases, public instances are sufficient
  2. Self-host for compliance - Deploy your own for strict compliance requirements
  3. Monitor logs - Keep an eye on Rekor for suspicious activity
  4. Verify transparency - Regularly verify Rekor log integrity

See Also