Skip to content

Commit

Permalink
1.0 changelog! (#830)
Browse files Browse the repository at this point in the history
* Fulcio 1.0!!

Signed-off-by: Hayden Blauzvern <[email protected]>
  • Loading branch information
haydentherapper authored Oct 17, 2022
1 parent ef0b75b commit 59ffd02
Show file tree
Hide file tree
Showing 2 changed files with 57 additions and 28 deletions.
6 changes: 6 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -1,3 +1,9 @@
# v1.0.0

1.0 release!

No changes from the previous release v1.0.0-rc.0.

# v1.0.0-rc.0

**Notice for Deprecation**: The legacy (V1) API will be deprecated by February
Expand Down
79 changes: 51 additions & 28 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -6,36 +6,43 @@

# Fulcio

_A New Kind of Root CA For Code Signing_
_A Free-to-Use CA For Code Signing_

fulcio is a free Root-CA for code signing certs - issuing certificates based on an OIDC email address.
Fulcio is a free-to-use certificate authority for issuing code signing certificates
for an OpenID Connect (OIDC) identity, such as email address.

fulcio only signs short-lived certificates that are valid for under 20 minutes.
Fulcio only issues short-lived certificates that are valid for 10 minutes.

## Status
## Public Instance

Fulcio is a *work in progress*!
Fulcio is in General Availability, offering a 99.5 Availability SLO,
and follows [semver rules](https://semver.org/) for API stability.

We're currently working hard on cutting a 1.0 release and productionizing the public instance.
We don't have a date yet, but follow along on the [GitHub project](https://github.com/orgs/sigstore/projects/5).
For uptime data on the Fulcio public instance, see [https://status.sigstore.dev](https://status.sigstore.dev).

The fulcio root certificate running on our public instance (https://fulcio.sigstore.dev) can be obtained and verified against Sigstore's root (at the [sigstore/root-signing](https://github.com/sigstore/root-signing) repository). To do this, install and use [go-tuf](https://github.com/theupdateframework/go-tuf)'s CLI tools:
Fulcio's certificate chain can be obtained from the `TrustBundle` API, for example for the public instance
([https://fulcio.sigstore.dev](https://fulcio.sigstore.dev/api/v2/trustBundle)). To verify the public instance,
you must verify the chain using Sigstore's [TUF](https://theupdateframework.io/) root from the
[sigstore/root-signing](https://github.com/sigstore/root-signing) repository).

To do this, install and use [go-tuf](https://github.com/theupdateframework/go-tuf)'s CLI tools:
```
$ go get github.com/theupdateframework/go-tuf/cmd/tuf
$ go get github.com/theupdateframework/go-tuf/cmd/tuf-client
$ go install github.com/theupdateframework/go-tuf/cmd/tuf-client@06ed59941769f55b7d54158a0be85a16a7475fa7
```

Then, obtain trusted root keys for Sigstore. This can be done from a checkout of the Sigstore's root signing repository at a trusted commit (e.g. after the livestreamed root signing ceremony).
Then, obtain trusted root keys for Sigstore. This can be done from a trusted commit in Sigstore's root signing repository
(e.g. after the [livestreamed root signing ceremony](https://github.com/sigstore/root-signing#initial-root-signing-ceremony)).
```
$ git clone https://github.com/sigstore/root-signing
$ cd root-signing && git checkout 193343461a4d365ac517b5d668e01fbaddd4eba5
$ tuf -d ceremony/2021-06-18/ root-keys > sigstore-root.json
# Ref 193343461a4d365ac517b5d668e01fbaddd4eba5 is when the root ceremony was completed
curl -o sigstore-root.json https://raw.githubusercontent.com/sigstore/root-signing/193343461a4d365ac517b5d668e01fbaddd4eba5/ceremony/2021-06-18/repository/root.json
```

Initialize the TUF client with the previously obtained root keys and get the current Fulcio root certificate `fulcio_v1.crt.pem`.
Initialize the TUF client with the previously obtained root and the remote repository, https://sigstore-tuf-root.storage.googleapis.com,
and get the current Fulcio root certificate `fulcio_v1.crt.pem` and intermediate certificate `fulcio_intermediate_v1.crt.pem`.
```
$ tuf-client init https://raw.githubusercontent.com/sigstore/root-signing/main/repository/repository/ sigstore-root.json
$ tuf-client get https://raw.githubusercontent.com/sigstore/root-signing/main/repository/repository/ fulcio_v1.crt.pem
$ tuf-client init https://sigstore-tuf-root.storage.googleapis.com sigstore-root.json
$ tuf-client get https://sigstore-tuf-root.storage.googleapis.com fulcio_v1.crt.pem
-----BEGIN CERTIFICATE-----
MIIB9zCCAXygAwIBAgIUALZNAPFdxHPwjeDloDwyYChAO/4wCgYIKoZIzj0EAwMw
KjEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MREwDwYDVQQDEwhzaWdzdG9yZTAeFw0y
Expand All @@ -49,28 +56,44 @@ KsXF+jAKBggqhkjOPQQDAwNpADBmAjEAj1nHeXZp+13NWBNa+EDsDP8G1WWg1tCM
WP/WHPqpaVo0jhsweNFZgSs0eE7wYI4qAjEA2WB9ot98sIkoF3vZYdd3/VtWB5b9
TNMea7Ix/stJ5TfcLLeABLE4BNJOsQ4vnBHJ
-----END CERTIFICATE-----
```
We **WILL** change this and add intermediaries in the future.
$ tuf-client get https://sigstore-tuf-root.storage.googleapis.com fulcio_intermediate_v1.crt.pem
-----BEGIN CERTIFICATE-----
MIICGjCCAaGgAwIBAgIUALnViVfnU0brJasmRkHrn/UnfaQwCgYIKoZIzj0EAwMw
KjEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MREwDwYDVQQDEwhzaWdzdG9yZTAeFw0y
MjA0MTMyMDA2MTVaFw0zMTEwMDUxMzU2NThaMDcxFTATBgNVBAoTDHNpZ3N0b3Jl
LmRldjEeMBwGA1UEAxMVc2lnc3RvcmUtaW50ZXJtZWRpYXRlMHYwEAYHKoZIzj0C
AQYFK4EEACIDYgAE8RVS/ysH+NOvuDZyPIZtilgUF9NlarYpAd9HP1vBBH1U5CV7
7LSS7s0ZiH4nE7Hv7ptS6LvvR/STk798LVgMzLlJ4HeIfF3tHSaexLcYpSASr1kS
0N/RgBJz/9jWCiXno3sweTAOBgNVHQ8BAf8EBAMCAQYwEwYDVR0lBAwwCgYIKwYB
BQUHAwMwEgYDVR0TAQH/BAgwBgEB/wIBADAdBgNVHQ4EFgQU39Ppz1YkEZb5qNjp
KFWixi4YZD8wHwYDVR0jBBgwFoAUWMAeX5FFpWapesyQoZMi0CrFxfowCgYIKoZI
zj0EAwMDZwAwZAIwPCsQK4DYiZYDPIaDi5HFKnfxXx6ASSVmERfsynYBiX2X6SJR
nZU84/9DZdnFvvxmAjBOt6QpBlc4J/0DxvkTCqpclvziL6BCCPnjdlIB3Pu3BxsP
mygUY7Ii2zbdCdliiow=
-----END CERTIFICATE-----
```

## API

The API is defined [here](./pkg/api/client.go).

## Transparency
The API is defined [here](./fulcio.proto). The API can be accessed
over [HTTP](https://www.sigstore.dev/swagger/?urls.primaryName=Fulcio) or gRPC.

Fulcio will publish issued certificates to a unique Certificate Transparency log (CT-log).
That log will be hosted by the sigstore project.
## Certificate Transparency

We encourage auditors to monitor this log, and aim to help people access the data.
Fulcio will publish issued certificates to a Certificate Transparency log (CT log).
The log is hosted at `https://ctfe.sigstore.dev/test`. Each year, the log will be updated
to a new log ID, for example `https://ctfe.sigstore.dev/2022`.

A simple example would be a service that emails users (on a different address) when certficates have been issued on their behalf.
This can then be used to detect bad behavior or possible compromise.
The log provides an API documented in [RFC 6962](https://datatracker.ietf.org/doc/rfc6962/).

We encourage auditors to monitor this log for both integrity and specific identities.
For example, auditors can monitor for when a certificate is issued for certain eamil addresses,
which will detect misconfiguration or potential compromise of the user's identity.

## Security

Should you discover any security issues, please refer to sigstore's [security
Please report any vulnerabilities following sigstore's [security
process](https://github.com/sigstore/.github/blob/main/SECURITY.md).

## Info
Expand Down

0 comments on commit 59ffd02

Please sign in to comment.