LinuxCommandLibrary

fulcio

TLDR

Start Fulcio server

$ fulcio serve --config [config.yaml]
copy
Create root certificate
$ fulcio createca --out [root.pem]
copy

SYNOPSIS

fulcio command [options]

DESCRIPTION

Fulcio is a certificate authority for code signing, part of the Sigstore project. It issues short-lived certificates tied to OIDC identities (GitHub, Google, Microsoft), enabling keyless code signing.
Fulcio eliminates the need for developers to manage long-term signing keys. Certificates are logged in the transparency log (Rekor) for verification.

PARAMETERS

serve

Start Fulcio server.
--config file
Configuration file.
--port num
Server port.
createca
Create root CA certificate.
--out file
Output file.
version
Show version.

WORKFLOW

$ 1. Developer authenticates via OIDC
2. Fulcio issues short-lived certificate
3. Developer signs artifact
4. Signature logged in Rekor
5. Verifier checks Rekor and certificate chain
copy

CAVEATS

Requires OIDC provider integration. Certificates are short-lived by design. Production requires proper CA management. Part of larger Sigstore ecosystem.

HISTORY

Fulcio is part of Sigstore, initiated by Google, Red Hat, and Purdue University in 2021 to make code signing accessible. Named after a Roman consul, it provides the CA component of the keyless signing infrastructure.

SEE ALSO

cosign(1), rekor-cli(1), sigstore(1)

Copied to clipboard