Sigstore Basics

Let’s start with a really simple example of keyless signing using sigstore:

First, install sigstore if you don’t already have it. E.g. with `brew:

brew install sigstore

Then, sign a file:

sigstore sign README.md

This should ask you to authenticate with an IdP to obtain an OIDC identity token. Behind the scenes, Sigstore creates a new local ephemeral keypair, then uses the OIDC identity token to create a Certificate Signing Request for the keypair which it sends to Fulcio. Sigstore receives the Signed Certificate Timestamp (SCT), Certificate and intermediate chain from Fulcio. Sigtore then signs the input using the ephemeral private key, publishes the signature, the inputs hash, and the signing certificate to the certificate transparency log - Rekor. Finally Sigstore saves the verifications materials locally, in a Sigstore bundle at README.md.sigstore.json.