fulcio

Definition

Fulcio is a certificate authority service designed to issue short-lived certificates for signing software artifacts. It is part of the Sigstore project, which aims to improve the security of the software supply chain by providing a transparent and secure method for verifying the provenance of software. Fulcio issues certificates based on OpenID Connect (OIDC) identities, allowing developers to sign their software artifacts without needing long-lived keys.

Secure Settings Example

fulcio:
  oidc:
    issuer: "https://accounts.google.com"
    clientID: "your-client-id"
  certificate:
    validityPeriod: "5m"
  logging:
    level: "info"
  security:
    enforceTLS: true

Insecure Settings Example

fulcio:
  oidc:
    issuer: "http://example.com"  # Non-HTTPS issuer URL
    clientID: "your-client-id"
  certificate:
    validityPeriod: "24h"  # Long validity period
  logging:
    level: "debug"  # Excessive logging can expose sensitive information
  security:
    enforceTLS: false  # Disabling TLS is insecure