DevOpsCybersecurityEnterprise

Beyond Keyless Signing: Using Ephemeral Certificates With BYOPKI - Kenneth Yang & Adrian Smith

OpenSSF
OpenSSFJun 2, 2026

Why It Matters

The session shows a practical path for enterprises to integrate existing PKI into Sigstore-based supply-chain signing, but it also surfaces compatibility gaps in the v0.3 bundle spec—notably around certificate chain handling—that could complicate adoption for organizations using ephemeral intermediates. Addressing these gaps is critical to ensure trustworthy, verifiable artifact signing in enterprise CI/CD pipelines.

Summary

Coinbase security engineers Kenneth Yang and Adrian Smith demonstrated how to use Sigstore’s new v0.3 bundle format to sign and verify OCI images with a bring-your-own-CA (BYOPKI) model, leveraging ephemeral X.509 certificates and timestamp authorities. They walked through the v0.3 protobuf structure—media type, verification material, and signing envelope—and explained verification steps: validating trusted root/TSAs, checking short-lived leaf certificates against timestamps, extracting the public key, and matching digests. In practice they encountered interoperability issues: the v0.3 bundle often includes only the leaf certificate (not intermediates/roots), which conflicts with Coinbase’s PKI architecture that uses ephemeral intermediate CAs. The team demonstrated workarounds and highlighted how timestamp validation is essential to attest expired ephemeral certificates at signing time.

Original Description

Beyond Keyless Signing: Using Ephemeral Certificates With BYOPKI - Kenneth Yang & Adrian Smith, Coinbase
Keyless signing in sigstore/cosign avoids the need to manage long-lived private keys by using ephemeral keys, short-lived certificates issued by a Managed CA (sigstore/fulcio), and a Public Transparency Log (sigstore/rekor). While this model fits many use cases, some organizations may prefer to run their own infrastructure with an Internal CA and Private Transparency Logs.
At Coinbase, the Security Platform Engineering team built an Internal CA that issues more than 100M certificates per year. We’ve applied keyless signing principles to our build pipelines, where signers attest their workload identities (e.g., SPIFFE, AWS OIDC), receive short-lived X.509 certificates, and sign artifacts with ephemeral keys that are immediately discarded after use.
This talk explores implementing a BYOPKI approach that maintains keyless signing principles, issuing short-lived X.509 certificates using workload attestation, and leveraging the new bundle format (v0.3+) within sigstore/cosign.

Comments

Want to join the conversation?

Loading comments...