dpndncY

Sigstore-keyless signing

When a workload has an OIDC identity (GitHub Actions, GitLab CI), dpndncY can sign decisions keyless via Sigstore — a short-lived certificate from Fulcio, logged to the Rekor transparency log — instead of a long-lived keypair. You get public verifiability with no key to manage or rotate.

How it works

Instead of signing with your stored private key, the platform requests an ephemeral signing certificate from Fulcio, binding the workload’s OIDC identity to a short-lived key, signs the DSSE envelope, and records the signature in Rekor. The certificate expires in minutes; the transparency-log entry is permanent.

When to use it

  • Public / cross-org verifiability — third parties can verify against a public transparency log without your key infrastructure.
  • No key management — nothing long-lived to store, rotate, or leak.

When not to use it

Not for air-gapped or fully-private
Keyless signing requires reaching Fulcio + Rekor, so it is unavailable air-gapped, and it publishes a transparency-log entry. For air-gapped or regulated workloads that must keep all evidence internal, use the local keypair (the default) and verify offline with dpndncy-verify.

Requirements

  • An OIDC issuer the platform trusts (GitHub Actions and GitLab CI provide one automatically).
  • Network access to the Sigstore Fulcio + Rekor endpoints (public or your own deployment).

Verification

Keyless attestations verify with cosign, or with dpndncy-verify --transparency-log, which checks the Rekor inclusion proof in addition to the signature.

See also