Problem
Organizations running their own Fulcio CA and Rekor transparency log cannot direct AICR to use their private Sigstore instances. All signing currently targets the public Sigstore infrastructure, which may not meet internal compliance or network isolation requirements.
Proposal
Add --fulcio-url and --rekor-url flags to aicr bundle to override the default public Sigstore endpoints.
New Flags
| Flag |
Type |
Default |
--fulcio-url |
string |
Public Fulcio (https://fulcio.sigstore.dev) |
--rekor-url |
string |
Public Rekor (https://rekor.sigstore.dev) |
Behavior
- When either flag is set, AICR uses the specified endpoint(s) for signing and transparency log upload
- The verification process is identical—same bundle format—only the root of trust differs
- Verification against private infrastructure requires the corresponding root certificate (
--certificate-chain or TUF root)
- Both flags are optional and independent: an org could run private Fulcio with public Rekor, or vice versa
Validation
- URLs must be valid HTTPS endpoints
- AICR should fail fast with a clear error if the private endpoint is unreachable
Implementation Notes
Updated 2026-06-02: the library plumbing for this already exists; remaining work is CLI wiring only. Scoped down accordingly.
SignOptions in pkg/bundler/attestation/signing.go already carries FulcioURL and RekorURL fields, each falling back to DefaultFulcioURL / DefaultRekorURL, and SignStatement already passes them to sigstore-go's sign.NewFulcio / sign.NewRekor. The custom-endpoint support is implemented at the library layer.
- The only missing piece is the CLI surface: two string flags on
aicr bundle, threaded through bundleCmdOptions → attestation.ResolveOptions (pkg/bundler/attestation/resolver.go) → SignOptions. No changes to bundle format or verification logic.
- Framing note: the original "cosign already supports
cosign sign --fulcio-url" reference predates the migration to sigstore-go's sign package — the relevant support now lives in SignOptions, not the cosign CLI.
- There is no
aicr bundle-sign subcommand; signing is folded into aicr bundle --attest.
Success Criteria
aicr bundle --fulcio-url https://fulcio.internal.example.com --rekor-url https://rekor.internal.example.com signs against private infrastructure
- Bundle is verifiable with matching private root of trust
- Public Sigstore remains the default when flags are omitted
make test and make lint pass with no regressions
Problem
Organizations running their own Fulcio CA and Rekor transparency log cannot direct AICR to use their private Sigstore instances. All signing currently targets the public Sigstore infrastructure, which may not meet internal compliance or network isolation requirements.
Proposal
Add
--fulcio-urland--rekor-urlflags toaicr bundleto override the default public Sigstore endpoints.New Flags
--fulcio-urlhttps://fulcio.sigstore.dev)--rekor-urlhttps://rekor.sigstore.dev)Behavior
--certificate-chainor TUF root)Validation
Implementation Notes
SignOptionsinpkg/bundler/attestation/signing.goalready carriesFulcioURLandRekorURLfields, each falling back toDefaultFulcioURL/DefaultRekorURL, andSignStatementalready passes them to sigstore-go'ssign.NewFulcio/sign.NewRekor. The custom-endpoint support is implemented at the library layer.aicr bundle, threaded throughbundleCmdOptions→attestation.ResolveOptions(pkg/bundler/attestation/resolver.go) →SignOptions. No changes to bundle format or verification logic.cosign sign --fulcio-url" reference predates the migration to sigstore-go'ssignpackage — the relevant support now lives inSignOptions, not the cosign CLI.aicr bundle-signsubcommand; signing is folded intoaicr bundle --attest.Success Criteria
aicr bundle --fulcio-url https://fulcio.internal.example.com --rekor-url https://rekor.internal.example.comsigns against private infrastructuremake testandmake lintpass with no regressions