This site contains a fake Sigstore instance Oxide Computer Company uses for tests.
This is NOT SUPPORTED for any use other than Oxide use. The instance might change, break or disappear without notice.
This instance relies on ephemeral keys that will change whenever it is restarted.
Signing a blob:
Note that the URL to retrieve the JWT is full of placeholders, which will show up in the certificate. All the JWT fields are required: replace the placeholders in the ones you care about.
jwt="$(curl -fs 'https://fake-sigstore.emily.oxeng.dev/jtm/token?aud=sigstore&sub=placeholder&job_workflow_ref=placeholder&event_name=placeholder&sha=placeholder&workflow=placeholder&repository=placeholder&ref=placeholder&job_workflow_sha=placeholder&runner_environment=placeholder&repository_id=placeholder&repository_owner=placeholder&repository_owner_id=placeholder&workflow_ref=placeholder&workflow_sha=placeholder&run_id=placeholder&run_attempt=placeholder&repository_visibility=placeholder' | jq -r .token)"
cosign sign-blob \
--fulcio-url=http://fake-sigstore.emily.oxeng.dev/fulcio \
--identity-token="$jwt" \
--insecure-skip-verify=true \
--bundle cosign-bundle.json \
file-to-sign
Verifying a blob:
Note that the first two commands are only required once per shell. The placeholder in the certificate identity is the placeholder for sub.
export SIGSTORE_ROOT_FILE=$(mktemp)
curl -fs https://fake-sigstore.emily.oxeng.dev/fulcio/api/v1/rootCert > "$SIGSTORE_ROOT_FILE"
cosign verify-blob \
--bundle=cosign-bundle.json \
--certificate-identity='https://github.com/placeholder' \
--certificate-oidc-issuer='https://fake-sigstore.emily.oxeng.dev/jtm' \
--insecure-ignore-sct=true \
file-to-verify