fix(security): rotate Fulcio leaf SPKI pin (closes #117)#119
Merged
Conversation
Sigstore rotated their `fulcio.sigstore.dev` leaf certificate sometime
between 2026-04-14 (when the pin set was last updated) and 2026-05-16
(when v0.8.3's release.yml `Build & Release WASM Component` job failed
with `Certificate pin mismatch for fulcio.sigstore.dev: got
e30da317897121cb..., expected one of 2 configured pins`).
Verification of the new pin:
$ echo | openssl s_client \
-connect fulcio.sigstore.dev:443 \
-servername fulcio.sigstore.dev 2>/dev/null \
| openssl x509 -pubkey -noout \
| openssl pkey -pubin -outform DER \
| openssl dgst -sha256 -binary \
| xxd -p -c 256
e30da317897121cb8fba4b1285d4d51207dfbe6272c245bc1c19694317658275
Cert chain identity:
subject = CN=fulcio.sigstore.dev
issuer = C=US, O=Google Trust Services, CN=WR3
notBefore = May 13 04:21:37 2026 GMT
notAfter = Aug 11 05:14:30 2026 GMT
Cross-checks:
- GTS WR3 intermediate SPKI matches the existing pinned
`39d4a59900fd356261e046dc387071921ca03f0352c00f50f757a8ba77db7281`
- Rekor leaf SPKI unchanged, still matches the existing Rekor pin
The previous Fulcio leaf SPKI is retained in the pin set for
transition / rollback safety. It can be removed on the next rotation
once we're confident Sigstore won't roll back.
Observational note for audit C-4 (issue #95): the v0.8.3 release CI
failure proves cert pinning IS being enforced today, at least on the
keyless-signing HTTP path. The audit's "warn-only" framing reflected
the `ureq` API limitation, but the failure mode in practice is
fail-closed. This is the right posture; #95 is about *making* this
the case at the TLS layer (rustls verifier) rather than at the
post-handshake response layer where it currently sits.
Unblocks v0.8.3 release.yml's WASM-component publish — a re-run after
this lands should complete the GitHub Release object.
Fixes: #117
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Automated review for PR #119pulseengine/sigil: Verdict: 💬 Comment Summary: Updates Fulcio leaf SPKI pin and adds new test. Findings: 0 mechanical (rivet) · 1 from local AI model. Findings (1):
|
Codecov Report✅ All modified and coverable lines are covered by tests. 📢 Thoughts on this report? Let us know! |
avrabe
added a commit
that referenced
this pull request
May 19, 2026
Single-commit-content release: v0.8.3 tagged cleanly and shipped to crates.io, but the release.yml::Build & Release WASM Component job failed (so the GitHub Release object never created) because Sigstore rotated the fulcio.sigstore.dev leaf cert. PR #119 landed the new pin on main; this release re-cuts a tag where the code does contain the fix. Trace: skip Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Sigstore rotated their fulcio.sigstore.dev leaf certificate. Pin set updated; previous leaf kept for transition. New pin verified via direct openssl fetch — SPKI sha256 = e30da317897121cb8fba4b1285d4d51207dfbe6272c245bc1c19694317658275. Cert chain identity: subject=CN=fulcio.sigstore.dev, issuer=Google Trust Services WR3, validity May 13 → Aug 11 2026. GTS WR3 intermediate SPKI and Rekor leaf SPKI both unchanged. 11 cert-pinning unit tests pass. Unblocks v0.8.3 release.yml WASM Component publish. Fixes #117.