# Planning Keyless Signing for Verdicts > **Status:** PLANNED — Implementation sprints created > **Date:** 2025-12-25 > **Updated:** 2025-12-26 > **Related:** Extends `25-Dec-2025 - Building a Deterministic Verdict Engine.md` --- ## Implementation Sprints This advisory has been decomposed into the following implementation sprints: | Sprint | Module | Topic | Priority | |--------|--------|-------|----------| | [`SPRINT_20251226_001_SIGNER_fulcio_keyless_client.md`](../implplan/SPRINT_20251226_001_SIGNER_fulcio_keyless_client.md) | Signer | Fulcio keyless signing client | P0 | | [`SPRINT_20251226_002_ATTESTOR_bundle_rotation.md`](../implplan/SPRINT_20251226_002_ATTESTOR_bundle_rotation.md) | Attestor | Monthly bundle rotation | P1 | | [`SPRINT_20251226_003_ATTESTOR_offline_verification.md`](../implplan/SPRINT_20251226_003_ATTESTOR_offline_verification.md) | Attestor | Offline/air-gap verification | P2 | | [`SPRINT_20251226_004_BE_cicd_signing_templates.md`](../implplan/SPRINT_20251226_004_BE_cicd_signing_templates.md) | Backend | CI/CD integration templates | P2 | **Total Tasks:** 98 across 4 sprints --- ## Documentation Created - [`docs/modules/signer/guides/keyless-signing.md`](../modules/signer/guides/keyless-signing.md) — Keyless signing guide - [`src/Signer/AGENTS.md`](../../src/Signer/AGENTS.md) — Signer module charter --- ## Advisory Content Here's a practical, low‑friction way to modernize how you sign and verify build "verdicts" in CI/CD using Sigstore—no long‑lived keys, offline‑friendly, and easy to audit. --- ### 1) Use **keyless** signing in CI * In your pipeline, obtain an OIDC token (from your CI runner) and let **Fulcio** issue a short‑lived X.509 code‑signing cert (~10 minutes). You sign with the ephemeral key; cert + signature are logged to Rekor. ([Sigstore Blog][1]) **Why:** no key escrow in CI, nothing persistent to steal, and every signature is time‑bound + transparency‑logged. --- ### 2) Keep one **hardware‑backed org key** only for special cases * Reserve a physical HSM/YubiKey (or KMS) key for: a) re‑signing monthly bundles (see §4), and b) offline/air‑gapped verification workflows where a trust anchor is needed. Cosign supports disconnected/offline verification patterns and mirroring the proof data. ([Sigstore][2]) --- ### 3) Make “verdicts” first‑class OCI attestations * Emit DSSE/attestations (SBOM deltas, reachability graphs, policy results) as OCI‑attached artifacts and sign them with keyless in CI. (Cosign is designed to sign/verify arbitrary OCI artifacts alongside images.) ([Artifact Hub][3]) --- ### 4) Publish a **rotation & refresh policy** * Every month, collect older attestations and **re‑sign into a long‑lived “bundle”** (plus timestamps) using the org key. This keeps proofs verifiable over years—even if the 10‑minute certs expire—because the bundle contains the cert chain, Rekor inclusion proof, and timestamps suitable for **offline** verification. ([Trustification][4]) **Suggested SLOs** * CI keyless cert TTL: 10 minutes (Fulcio default). ([Sigstore][5]) * Bundle cadence: monthly (or per release); retain N=24 months. --- ### 5) Offline / air‑gapped verification * Mirror the image + attestation + Rekor proof (or bundle) into the disconnected registry. Verify with `cosign verify` using the mirrored materials—no internet needed. (Multiple guides show fully disconnected OpenShift/air‑gapped flows.) ([Red Hat Developer][6]) --- ### 6) Address common concerns (“myths”) * “Short‑lived certs will break verification later.” → They don’t: you verify against the Rekor proof/bundle, not live cert validity. ([Trustification][4]) * “Keyless means less security.” → The opposite: no static secrets in CI; certs expire in ~10 minutes; identity bound via OIDC and logged. ([Chainguard][7]) --- ### Minimal rollout checklist * [ ] Enable OIDC on your CI runners; test `cosign sign --identity-token ...` * [ ] Enforce identity/issuer in policy: `--certificate-identity` + `--certificate-oidc-issuer` at verify time. ([Sigstore][2]) * [ ] Set up a monthly job to build **Sigstore bundles** from past attestations and re‑sign with the org key. ([Trustification][4]) * [ ] For offline sites: mirror images + attestations + bundles; verify with `cosign verify` entirely offline. ([Red Hat Developer][6]) Want me to draft the exact cosign commands and a GitLab/GitHub Actions snippet for your Stella Ops pipelines (keyless sign, verify gates, monthly bundling, and an offline verification playbook)? [1]: https://blog.sigstore.dev/trusted-time/?utm_source=chatgpt.com "Trusted Time in Sigstore" [2]: https://docs.sigstore.dev/cosign/verifying/verify/?utm_source=chatgpt.com "Verifying Signatures - Cosign" [3]: https://artifacthub.io/packages/container/cosign/cosign/latest?utm_source=chatgpt.com "cosign latest · sigstore/cosign" [4]: https://trustification.io/blog/?utm_source=chatgpt.com "Blog" [5]: https://docs.sigstore.dev/certificate_authority/overview/?utm_source=chatgpt.com "Fulcio" [6]: https://developers.redhat.com/articles/2025/08/27/how-verify-container-signatures-disconnected-openshift?utm_source=chatgpt.com "How to verify container signatures in disconnected OpenShift" [7]: https://www.chainguard.dev/unchained/life-of-a-sigstore-signature?utm_source=chatgpt.com "Life of a Sigstore signature"