A Bit of Ambiance comes to Sigstore

Photo by Matias T on Unsplash

About Workload Identity

Workload Identity is the pattern you use when receiving credentials from a metadata server on a virtual machine, or from a SPIRE socket mounted into your container. Instead of deploying a secret alongside your code (or god-forbid in it!), your code receives the credentials it needs from the environment. These have to come from somewhere — but the responsibility of storing, distributing, refreshing, and revoking secrets is now managed by the platform provider.

Benefits of Ambient Credentials and Workload Identity

There are many benefits of this approach, including:

Ambient Credentials in Project Sigstore!

Project Sigstore operates a free root Certificate Authority for code signing called Fulcio. Fulcio is designed to issue certificates completely automatically, which requires it to be able to verify identity across many different systems. The most common approach for federated identity is called OpenID Connect. The exact specification is complex, but you can think of it as this simple model:

  1. A person logs into their Identity Provider (think Google, or Facebook).
  2. The person requests an Identity Token from their provider.
  3. The person hands that token to the other system (called the Relying Party) they want to login to (think, Sigstore)!
  4. The relying party can verify this token, using data it knew about the Identity Provider ahead of time.

Using OIDC With Cosign

OIDC is not without its warts, but it is widely adopted! This means most cloud providers support issuing identity tokens directly. Open source projects like SPIFFE/SPIRE build on this to define ways to structure tokens and identifiers that are also widely understood. This means that in most environments, we hope you can just run cosign sign and get a certificate with no other configuration! This is possible today in a few places:

  • On Google: GCP VMs, GKE clusters with Workload Identity enabled, and Google Cloud Build. See usage docs here.
  • On GitHub: COMING SOON. You’ll be able to automatically authenticate directly from GitHub Actions, using their new OIDC support!
  • SPIFFE/SPIRE: SPIFFE SVIDs are also directly supported by Sigstore. Add your federation endpoint for use.



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store