Fake Sigstore instance

This is a fake, UNTRUSTED instance of Sigstore, run and used by Oxide Computer Company.

This instance runs the software powering the official Fulcio CA, with a custom configuration to trust justtrustme, an OpenID Connect identity provider issuing arbitrary identity tokens to anyone. Sigstore's official timestamp server is used to provide timestamps, and no transparency log is provided.

Clients can request any JWT from it without authentication, to obtain the signatures they need to test. It is meant to be used as part of a test suite to verify whether code accepts attestations with arbitrary claims.

This is NOT SUPPORTED for any use outside Oxide. It might change, break or disappear without notice. This instance relies on ephemeral keys that will change whenever it is restarted.

Configuration bundles

These configuration bundles point to this server any Sigstore client conforming to the 0.3 bundle format.

• trusted-root.json
• signing-config.json

Services hosted

• Fulcio, the Sigstore CA.
• justtrustme, the OIDC identity provider.

Cosign 3.x command reference

Signing a blob:
Note that the URL to retrieve the JWT is full of placeholders, which will show up in the certificate. All the JWT fields are required: replace the placeholders in the ones you care about.

jwt="$(curl -fs 'https://fake-sigstore.emily.oxeng.dev/jtm/token?aud=sigstore&sub=placeholder&job_workflow_ref=placeholder&event_name=placeholder&sha=placeholder&workflow=placeholder&repository=placeholder&ref=placeholder&job_workflow_sha=placeholder&runner_environment=placeholder&repository_id=placeholder&repository_owner=placeholder&repository_owner_id=placeholder&workflow_ref=placeholder&workflow_sha=placeholder&run_id=placeholder&run_attempt=placeholder&repository_visibility=placeholder' | jq -r .token)"
cosign sign-blob \
    --trusted-root=trusted-root.json \
    --signing-config=signing-config.json \
    --identity-token="$jwt" \
    --bundle file-to-sign.sigstore.json \
    file-to-sign

Verifying a blob:
Note that the first two commands are only required once per shell. The placeholder in the certificate identity is the placeholder for sub.

cosign verify-blob \
    --trusted-root=trusted-root.json \
    --insecure-ignore-sct=true \
    --insecure-ignore-tlog=true \
    --certificate-identity='https://github.com/placeholder' \
    --certificate-oidc-issuer='https://fake-sigstore.emily.oxeng.dev/jtm' \
    --bundle=file-to-verify.sigstore.json \
    file-to-verify

Cosign 2.x command reference

Signing a blob:
Note that the URL to retrieve the JWT is full of placeholders, which will show up in the certificate. All the JWT fields are required: replace the placeholders in the ones you care about.

cosign sign-blob \
    --fulcio-url=http://fake-sigstore.emily.oxeng.dev/fulcio \
    --identity-token="$jwt" \
    --insecure-skip-verify=true \
    --bundle cosign-bundle.json \
    file-to-sign

Verifying a blob:
Note that the first two commands are only required once per shell. The placeholder in the certificate identity is the placeholder for sub.

export SIGSTORE_ROOT_FILE=$(mktemp)
curl -fs https://fake-sigstore.emily.oxeng.dev/fulcio/api/v1/rootCert > "$SIGSTORE_ROOT_FILE"
cosign verify-blob \
    --bundle=cosign-bundle.json \
    --certificate-identity='https://github.com/placeholder' \
    --certificate-oidc-issuer='https://fake-sigstore.emily.oxeng.dev/jtm' \
    --insecure-ignore-sct=true \
    file-to-verify