Skip to content

feat(bundle): private Sigstore infrastructure support via --fulcio-url and --rekor-url #408

Description

@mchmarny

Problem

Organizations running their own Fulcio CA and Rekor transparency log cannot direct AICR to use their private Sigstore instances. All signing currently targets the public Sigstore infrastructure, which may not meet internal compliance or network isolation requirements.

Proposal

Add --fulcio-url and --rekor-url flags to aicr bundle to override the default public Sigstore endpoints.

New Flags

Flag Type Default
--fulcio-url string Public Fulcio (https://fulcio.sigstore.dev)
--rekor-url string Public Rekor (https://rekor.sigstore.dev)

Behavior

  • When either flag is set, AICR uses the specified endpoint(s) for signing and transparency log upload
  • The verification process is identical—same bundle format—only the root of trust differs
  • Verification against private infrastructure requires the corresponding root certificate (--certificate-chain or TUF root)
  • Both flags are optional and independent: an org could run private Fulcio with public Rekor, or vice versa

Validation

  • URLs must be valid HTTPS endpoints
  • AICR should fail fast with a clear error if the private endpoint is unreachable

Implementation Notes

Updated 2026-06-02: the library plumbing for this already exists; remaining work is CLI wiring only. Scoped down accordingly.

  • SignOptions in pkg/bundler/attestation/signing.go already carries FulcioURL and RekorURL fields, each falling back to DefaultFulcioURL / DefaultRekorURL, and SignStatement already passes them to sigstore-go's sign.NewFulcio / sign.NewRekor. The custom-endpoint support is implemented at the library layer.
  • The only missing piece is the CLI surface: two string flags on aicr bundle, threaded through bundleCmdOptionsattestation.ResolveOptions (pkg/bundler/attestation/resolver.go) → SignOptions. No changes to bundle format or verification logic.
  • Framing note: the original "cosign already supports cosign sign --fulcio-url" reference predates the migration to sigstore-go's sign package — the relevant support now lives in SignOptions, not the cosign CLI.
  • There is no aicr bundle-sign subcommand; signing is folded into aicr bundle --attest.

Success Criteria

  • aicr bundle --fulcio-url https://fulcio.internal.example.com --rekor-url https://rekor.internal.example.com signs against private infrastructure
  • Bundle is verifiable with matching private root of trust
  • Public Sigstore remains the default when flags are omitted
  • make test and make lint pass with no regressions

Metadata

Metadata

Assignees

Fields

No fields configured for Enhancement.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions