Medium test article

By | February 3, 2026
0 Comment

FRSCA stitches together several CNCF/Sigstore ecosystem tools:

Component Role
Tekton Pipeline execution engine
Tekton Chains Captures build metadata and signs it
Sigstore (cosign/Rekor) Keyless signing and transparency logging
SPIRE/SPIFFE Workload identity for build environments

How Sigstore is Used by FRSCA

Sigstore is the cryptographic backbone of FRSCA, providing keyless signing and transparency logging. It eliminates the need for managing long-lived signing keys.

Sigstore Components in FRSCA

???????????????????????????????????????????????????????????????????
?                        FRSCA Pipeline                           ?
?                                                                 ?
?  ???????????????    ???????????????    ???????????????         ?
?  ?   Tekton    ??????   Tekton    ??????   Cosign    ?         ?
?  ?  (builds)   ?    ?   Chains    ?    ?  (signs)    ?         ?
?  ???????????????    ???????????????    ???????????????         ?
?                                               ?                 ?
???????????????????????????????????????????????????????????????????
                                                ?
                    ?????????????????????????????????????????????
                    ?         Sigstore          ?               ?
                    ?                           ?               ?
                    ?  ???????????    ???????????????????       ?
                    ?  ? Fulcio  ?    ?     Rekor       ?       ?
                    ?  ?  (CA)   ?    ? (Transparency   ?       ?
                    ?  ???????????    ?      Log)       ?       ?
                    ?       ?         ???????????????????       ?
                    ?       ?                                   ?
                    ?  Short-lived                              ?
                    ?  Certificate                              ?
                    ?????????????????????????????????????????????

Sigstore Components Explained

Component Role in FRSCA
Fulcio Certificate Authority that issues short-lived certificates (valid ~20 minutes) based on OIDC identity
Rekor Immutable transparency log that records all signing events — provides tamper-evident audit trail
Cosign CLI tool that signs container images and attestations using Fulcio certificates

The Keyless Signing Flow

  1. Build completes ? Tekton Chains captures build metadata (provenance)
  2. Identity verification ? FRSCA authenticates to Fulcio using OIDC (workload identity from SPIRE)
  3. Certificate issuance ? Fulcio issues a short-lived certificate binding the workload identity
  4. Signing ? Cosign signs the provenance attestation with the ephemeral certificate
  5. Transparency logging ? Signing event is recorded in Rekor (immutable, publicly auditable)
  6. Certificate expires ? No long-lived keys to steal or manage

Why Keyless Signing Matters

Traditional Signing Sigstore Keyless (FRSCA)
Long-lived keys stored somewhere No persistent keys to steal
Key rotation is manual burden Automatic — certificates expire in minutes
Compromised key = all signatures suspect Compromise window is tiny
Key management infrastructure needed Identity-based (OIDC/SPIFFE)

Verification Flow

When verifying an artifact signed by FRSCA:

  1. Check Rekor ? Confirm signing event exists in transparency log
  2. Verify certificate ? Confirm it was issued by Fulcio at build time
  3. Validate identity ? Confirm the signer identity matches expected build system
  4. Check provenance ? Verify attestation content (source, builder, etc.)
# Example: Verify with cosign
cosign verify-attestation \
  --type slsaprovenance \
  --certificate-identity <builder-identity> \
  --certificate-oidc-issuer <oidc-issuer> \
  <image>

Leave a Reply