From 2ba5dc8ceb4115bcf1aca1c118457dfc4886945f Mon Sep 17 00:00:00 2001 From: sgpinkus Date: Fri, 24 Jan 2025 08:49:57 +1000 Subject: [PATCH] Clarify client is creating the public private key pair in 'How Sigstore works' section of overview. (#359) Signed-off-by: Sam Pinkus --- content/en/about/overview.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/en/about/overview.md b/content/en/about/overview.md index 1c5bee0f..cb6fa305 100644 --- a/content/en/about/overview.md +++ b/content/en/about/overview.md @@ -46,7 +46,7 @@ The signer ideally forgoes using long-lived keypairs. With “keyless” or “e ## How Sigstore works -A Sigstore client, such as Cosign, requests a certificate from our code-signing certificate authority (Fulcio). A verifiable OpenID Connect identity token, which contains a user's email address or service account, is provided in the request. The certificate authority verifies this token and issues a short-lived certificate bound to the provided identity. +A Sigstore client, such as Cosign, creates a public/private key pair and makes a certificate signing request to our code-signing certificate authority (Fulcio) with the public key. A verifiable OpenID Connect identity token, which contains a user's email address or service account, is also provided in the request. The certificate authority verifies this token and issues a short-lived certificate bound to the provided identity and public key. You don’t have to manage signing keys, and Sigstore services never obtain your private key. The public key that a Sigstore client creates gets bound to the issued certificate, and the private key is discarded after a single signing.