sigstore-fulcio
| Crates.io | sigstore-fulcio |
| lib.rs | sigstore-fulcio |
| version | 0.6.0 |
| created_at | 2025-11-27 10:53:27.520374+00 |
| updated_at | 2025-12-17 09:08:08.655744+00 |
| description | Fulcio certificate authority client for Sigstore |
| homepage | |
| repository | https://github.com/wolfv/sigstore-rust |
| max_upload_size | |
| id | 1953520 |
| size | 69,350 |
Wolf Vollprecht (wolfv)
documentation
README
sigstore-fulcio
Fulcio certificate authority client for sigstore-rust.
Overview
This crate provides a client for Fulcio, Sigstore's certificate authority. Fulcio issues short-lived code signing certificates based on OIDC identity tokens, enabling keyless signing where the signer's identity is bound to their OIDC identity rather than a long-lived private key.
Features
- Certificate signing requests: Generate and submit CSRs to Fulcio
- Certificate retrieval: Obtain signed certificates and certificate chains
- Proof of possession: Challenge-response for key ownership verification
- Detached SCTs: Support for Signed Certificate Timestamps
How It Works
- Signer authenticates with an OIDC provider
- Signer generates an ephemeral key pair
- Signer submits a CSR with the OIDC token to Fulcio
- Fulcio verifies the token and issues a short-lived certificate
- Certificate embeds the OIDC identity (email, subject, issuer)
Usage
use sigstore_fulcio::FulcioClient;
let client = FulcioClient::production();
let certificate = client
.request_certificate(&public_key, &oidc_token, &proof_of_possession)
.await?;
Related Crates
Used by:
sigstore-sign- Requests certificates during signing
License
BSD-3-Clause