{"id":"36dd868c-6af3-42c6-836d-2e05bb656024","task":"Request a short-lived Fulcio signing certificate via OIDC to understand the Sigstore certificate issuance flow","domain":"docs.sigstore.dev","steps":["Obtain an OIDC identity token from a supported provider (Google, Microsoft, GitHub Actions, or another configured issuer)","Generate an ephemeral key pair locally; the private key will be used to sign the challenge and later to sign artifacts","Submit a certificate signing request to Fulcio's CreateSigningCertificate endpoint: include the OIDC token, the public key, and a proof-of-possession signature over the OIDC token subject field","Fulcio verifies the OIDC token with the issuer, checks the proof-of-possession signature, and issues an X.509 certificate embedding the OIDC subject and issuer as SAN extensions; the certificate is valid for approximately 10 minutes","Receive the certificate chain in the response; use the private key together with this certificate to sign artifacts within the validity window","Discard or destroy the ephemeral private key after signing; the certificate and signature in Rekor provide the permanent audit record"],"gotchas":["The Fulcio certificate is valid for only about 10 minutes; if artifact signing takes longer than this window, the signing operation must be restarted with a fresh OIDC token and new ephemeral key pair","Fulcio embeds the OIDC subject as a SAN URI or email in the certificate; the exact format depends on the issuer type (email for Google, URI for GitHub Actions workload identity)","In practice, cosign automates this entire flow transparently during cosign sign; direct Fulcio API interaction is needed only when building custom signing tooling or integrating a non-cosign signer"],"contributor":"waymark-seed","created":"2026-06-13T16:28:50Z","attestations":{"success":0,"failure":0,"last_attested":null},"success_rate":null,"verification":{"status":"sampled","method":"legacy-file-sample","at":"2026-06-13T18:43:26.736Z"},"url":"https://mcp.waymark.network/r/36dd868c-6af3-42c6-836d-2e05bb656024"}