Sigstore · Capability

Sigstore Software Supply Chain Security

Unified software supply chain security workflow combining Sigstore's Rekor transparency log and Fulcio certificate authority. Enables artifact signing, verification, certificate issuance, and transparency log auditing for DevOps engineers, security teams, and platform administrators building secure software delivery pipelines.

Run with Naftiko Certificate AuthorityCode SigningCryptographyDevSecOpsOpen SourcePKISecuritySoftware Supply ChainTransparency Log

What You Can Do

POST
Create log entry — Add a signed artifact to the Rekor transparency log
/v1/log-entries
POST
Search log entries — Search transparency log entries by UUID or log index
/v1/log-entries
GET
Get log entry — Retrieve a specific log entry including inclusion proof
/v1/log-entries/{entryUUID}
POST
Search artifact — Find log entries by artifact hash or signer identity
/v1/index
GET
Get log info — Get current log tree information and size
/v1/log
POST
Create signing certificate — Issue a short-lived X.509 signing certificate via Fulcio
/v1/signing-certificates
GET
Get trust bundle — Retrieve the Fulcio CA trust bundle
/v1/trust-bundle
GET
Get ca configuration — Get the supported OIDC identity providers for keyless signing
/v1/configuration

MCP Tools

rekor-create-log-entry

Submit a signed artifact to the Rekor transparency log to create an immutable audit record

rekor-get-log-entry

Retrieve a specific Rekor transparency log entry by UUID, including the inclusion proof

read-only idempotent
rekor-search-artifact

Search the Rekor index to find log entries for a specific artifact hash or signer email

read-only idempotent
rekor-search-entries

Retrieve multiple Rekor log entries by UUIDs or log indexes

read-only idempotent
rekor-get-log-info

Get current Rekor transparency log tree size and signed tree head information

read-only idempotent
fulcio-create-signing-certificate

Request a short-lived X.509 signing certificate from Fulcio using OIDC identity token

fulcio-get-trust-bundle

Retrieve the Fulcio CA root and intermediate certificates for offline verification

read-only idempotent
fulcio-get-configuration

Get the Fulcio CA configuration including all supported OIDC identity providers

read-only idempotent

APIs Used

rekor fulcio

Capability Spec

Raw ↑ 
naftiko: "1.0.0-alpha1"

info:
  label: "Sigstore Software Supply Chain Security"
  description: >-
    Unified software supply chain security workflow combining Sigstore's Rekor
    transparency log and Fulcio certificate authority. Enables artifact signing,
    verification, certificate issuance, and transparency log auditing for DevOps
    engineers, security teams, and platform administrators building secure software
    delivery pipelines.
  tags:
    - Certificate Authority
    - Code Signing
    - Cryptography
    - DevSecOps
    - Open Source
    - PKI
    - Security
    - Software Supply Chain
    - Transparency Log
  created: "2026-05-02"
  modified: "2026-05-02"

binds:
  - namespace: env
    keys:
      REKOR_BASE_URL: REKOR_BASE_URL
      FULCIO_BASE_URL: FULCIO_BASE_URL

capability:
  consumes:
    - import: rekor
      location: ./shared/rekor.yaml
    - import: fulcio
      location: ./shared/fulcio.yaml

  exposes:
    - type: rest
      port: 8080
      namespace: sigstore-supply-chain-api
      description: "Unified REST API for Sigstore software supply chain security workflows."
      resources:
        - path: /v1/log-entries
          name: log-entries
          description: Transparency log entries for signed artifacts
          operations:
            - method: POST
              name: create-log-entry
              description: Add a signed artifact to the Rekor transparency log
              call: "rekor.create-log-entry"
              outputParameters:
                - type: object
                  mapping: "$."

            - method: POST
              name: search-log-entries
              description: Search transparency log entries by UUID or log index
              call: "rekor.search-log-entries"
              outputParameters:
                - type: object
                  mapping: "$."

        - path: /v1/log-entries/{entryUUID}
          name: log-entry
          description: Individual transparency log entry
          operations:
            - method: GET
              name: get-log-entry
              description: Retrieve a specific log entry including inclusion proof
              call: "rekor.get-log-entry"
              with:
                entryUUID: "rest.entryUUID"
              outputParameters:
                - type: object
                  mapping: "$."

        - path: /v1/index
          name: artifact-index
          description: Search transparency log by artifact metadata
          operations:
            - method: POST
              name: search-artifact
              description: Find log entries by artifact hash or signer identity
              call: "rekor.search-index"
              outputParameters:
                - type: object
                  mapping: "$."

        - path: /v1/log
          name: log-info
          description: Transparency log status and tree information
          operations:
            - method: GET
              name: get-log-info
              description: Get current log tree information and size
              call: "rekor.get-log-info"
              outputParameters:
                - type: object
                  mapping: "$."

        - path: /v1/signing-certificates
          name: signing-certificates
          description: Short-lived signing certificate issuance
          operations:
            - method: POST
              name: create-signing-certificate
              description: Issue a short-lived X.509 signing certificate via Fulcio
              call: "fulcio.create-signing-cert"
              outputParameters:
                - type: object
                  mapping: "$."

        - path: /v1/trust-bundle
          name: trust-bundle
          description: CA trust bundle for certificate verification
          operations:
            - method: GET
              name: get-trust-bundle
              description: Retrieve the Fulcio CA trust bundle
              call: "fulcio.get-trust-bundle"
              outputParameters:
                - type: object
                  mapping: "$."

        - path: /v1/configuration
          name: ca-configuration
          description: Fulcio CA OIDC issuer configuration
          operations:
            - method: GET
              name: get-ca-configuration
              description: Get the supported OIDC identity providers for keyless signing
              call: "fulcio.get-configuration"
              outputParameters:
                - type: object
                  mapping: "$."

    - type: mcp
      port: 9090
      namespace: sigstore-supply-chain-mcp
      transport: http
      description: "MCP server for AI-assisted software supply chain security, artifact signing, and transparency log auditing."
      tools:
        - name: rekor-create-log-entry
          description: Submit a signed artifact to the Rekor transparency log to create an immutable audit record
          hints:
            readOnly: false
            idempotent: false
          call: "rekor.create-log-entry"
          outputParameters:
            - type: object
              mapping: "$."

        - name: rekor-get-log-entry
          description: Retrieve a specific Rekor transparency log entry by UUID, including the inclusion proof
          hints:
            readOnly: true
            idempotent: true
          call: "rekor.get-log-entry"
          outputParameters:
            - type: object
              mapping: "$."

        - name: rekor-search-artifact
          description: Search the Rekor index to find log entries for a specific artifact hash or signer email
          hints:
            readOnly: true
            idempotent: true
          call: "rekor.search-index"
          outputParameters:
            - type: object
              mapping: "$."

        - name: rekor-search-entries
          description: Retrieve multiple Rekor log entries by UUIDs or log indexes
          hints:
            readOnly: true
            idempotent: true
          call: "rekor.search-log-entries"
          outputParameters:
            - type: object
              mapping: "$."

        - name: rekor-get-log-info
          description: Get current Rekor transparency log tree size and signed tree head information
          hints:
            readOnly: true
            idempotent: true
          call: "rekor.get-log-info"
          outputParameters:
            - type: object
              mapping: "$."

        - name: fulcio-create-signing-certificate
          description: Request a short-lived X.509 signing certificate from Fulcio using OIDC identity token
          hints:
            readOnly: false
            idempotent: false
          call: "fulcio.create-signing-cert"
          outputParameters:
            - type: object
              mapping: "$."

        - name: fulcio-get-trust-bundle
          description: Retrieve the Fulcio CA root and intermediate certificates for offline verification
          hints:
            readOnly: true
            idempotent: true
          call: "fulcio.get-trust-bundle"
          outputParameters:
            - type: object
              mapping: "$."

        - name: fulcio-get-configuration
          description: Get the Fulcio CA configuration including all supported OIDC identity providers
          hints:
            readOnly: true
            idempotent: true
          call: "fulcio.get-configuration"
          outputParameters:
            - type: object
              mapping: "$."