Sigstore-keyless signing
When a workload has an OIDC identity (GitHub Actions, GitLab CI), dpndncY can sign decisions keyless via Sigstore — a short-lived certificate from Fulcio, logged to the Rekor transparency log — instead of a long-lived keypair. You get public verifiability with no key to manage or rotate.
How it works
Instead of signing with your stored private key, the platform requests an ephemeral signing certificate from Fulcio, binding the workload’s OIDC identity to a short-lived key, signs the DSSE envelope, and records the signature in Rekor. The certificate expires in minutes; the transparency-log entry is permanent.
When to use it
- Public / cross-org verifiability — third parties can verify against a public transparency log without your key infrastructure.
- No key management — nothing long-lived to store, rotate, or leak.
When not to use it
dpndncy-verify.Requirements
- An OIDC issuer the platform trusts (GitHub Actions and GitLab CI provide one automatically).
- Network access to the Sigstore Fulcio + Rekor endpoints (public or your own deployment).
Verification
Keyless attestations verify with cosign, or with dpndncy-verify --transparency-log, which checks the Rekor inclusion proof in addition to the signature.