11 releases (5 breaking)
| new 0.6.4 | Mar 6, 2026 |
|---|---|
| 0.6.1 | Jan 26, 2026 |
| 0.6.0 | Dec 8, 2025 |
| 0.4.0 | Nov 28, 2025 |
#1554 in Cryptography
11,115 downloads per month
Used in 5 crates
(via sigstore-sign)
195KB
3.5K
SLoC
sigstore-fulcio
Fulcio certificate authority client for sigstore-rust.
Overview
This crate provides a client for Fulcio, Sigstore's certificate authority. Fulcio issues short-lived code signing certificates based on OIDC identity tokens, enabling keyless signing where the signer's identity is bound to their OIDC identity rather than a long-lived private key.
Features
- Certificate signing requests: Generate and submit CSRs to Fulcio
- Certificate retrieval: Obtain signed certificates and certificate chains
- Proof of possession: Challenge-response for key ownership verification
- Detached SCTs: Support for Signed Certificate Timestamps
How It Works
- Signer authenticates with an OIDC provider
- Signer generates an ephemeral key pair
- Signer submits a CSR with the OIDC token to Fulcio
- Fulcio verifies the token and issues a short-lived certificate
- Certificate embeds the OIDC identity (email, subject, issuer)
Usage
use sigstore_fulcio::FulcioClient;
let client = FulcioClient::production();
let certificate = client
.request_certificate(&public_key, &oidc_token, &proof_of_possession)
.await?;
Related Crates
Used by:
sigstore-sign- Requests certificates during signing
License
BSD-3-Clause
Dependencies
~92MB
~2M SLoC