Sigstore the Hard Way

Welcome to sigstore the hard way.

The driver for this project is to get potential users, developers or collaborators familiar with the inner workings of sigstore's infrastructure.

To best achieve a good familiarity with sigstore, we will walk through the whole process manually.

Building "by hand" provides a view of how each component project in sigstore glues together, while deliberately avoiding automation. This means no Dockerfiles or deployment framework playbooks. Everything is set up manually.

With 'sigstore the hard way' we will install, configure and run the following components to provide a 'keyless' signing infrastructure.

  1. Fulcio WebPKI
  2. Rekor, signature transparency log and timestamping authority
  3. Certificate Transparency Log
  4. Dex, OpenID Connect provider
  5. Cosign, container (and more) signing and verifying tool

Requirements

This tutorial leverages the GCP for the provisioning of the compute infrastructure required to bootstrap the sigstore infra from the ground up. Free credits are available on Sign up. For when it comes to saving costs, the recommendation is to shutdown any instances when you're not using them and once you have completed the tutorial, delete all the instances, networks etc.

You can of course use local machines if you have them, or any other provider such as AWS, Azure (pull requests welcomed!)

The only other requirement is a domain name, where you have the ability to create some subdomains. We need a domain for an OpenID Connect session (providers don't always like redirect_urls to IP addresses). It's up to you who you use, any provider will do. If you already have a domain, it makes sense to use that. We won't be messing with the root domain if you're already running something there, just creating subdomains (e.g. rekor.example.com, fulcio.example.com)

Certificate Authority

For the Certificate Authority we will have three options to choose from:

  • File CA
  • SoftHSM
  • Google's Certificate Transparency Service

The above are listed in order of setup ease. If you just want to kick the tyres and don't need a secure CA, you can use the File CA.

Google's is a paid service, but easy to set up. SoftHSM is completely free, but requires a little more setup (but nothing too challenging)

Last of all we will sign a container image using cosign.

If you have not guessed by name, this is based off, and comes with credit to Kelsey Hightower's Kubernetes the Hard Way


This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.

Having issues, something not working?

Raise an issue (best option, as others can learn) or message me on the sigstore slack, I'm always happy to help.