OpenSSF Community Day North America 2026

Keyless signing in sigstore/cosign avoids the need to manage long-lived private keys by using ephemeral keys, short-lived certificates issued by a Managed CA (sigstore/fulcio), and a Public Transparency Log (sigstore/rekor). While this model fits many use cases, some organizations may prefer to run their own infrastructure with an Internal CA and Private Transparency Logs.

At Coinbase, the Security Platform Engineering team built an Internal CA that issues more than 100M certificates per year. We’ve applied keyless signing principles to our build pipelines, where signers attest their workload identities (e.g., SPIFFE, AWS OIDC), receive short-lived X.509 certificates, and sign artifacts with ephemeral keys that are immediately discarded after use.

This talk explores implementing a BYOPKI approach that maintains keyless signing principles, issuing short-lived X.509 certificates using workload attestation, and leveraging the new bundle format (v0.3+) within sigstore/cosign.