Skip to content

Docs: Sigstore/Fulcio network blocking + recommended evidence publishing path #1436

Description

@njhensley

Part of #1431.

Summary

Document the known Fulcio/Sigstore connectivity issue and the recommended way to publish evidence. Corporate VPN and some home networks block TLS to fulcio.sigstore.dev (upstream IP-level rejection, not an AICR bug), which forces contributors onto a phone hotspot for keyless signing. The recommended remedy is the fork-based GitHub Actions signing workflow, with the local split-leg validate (on VPN) → evidence publish (off VPN) as the fallback.

Acceptance criteria

  • A contributor-facing doc page (under docs/contributor/ or the evidence section) explains the symptom, the cause (upstream Sigstore IP blocking), and the CI-based remedy.
  • Notes the requirement that the fork's aicr-evidence GHCR package be public so the gate's verify pull (and the signing workflow's pre-sign pull) doesn't 403.
  • Cross-links the fork-based signing workflow and the two-phase publish issues.

References

  • docs/design/007-recipe-evidence.md and subpages
  • pkg/cli/evidence_publish.go

Metadata

Metadata

Assignees

Fields

No fields configured for Documentation.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions