Keyless signing is a cryptographic signing paradigm that generates short-lived signing keys bound to a workload identity via an OpenID Connect (OIDC) token, eliminating the need to manage, rotate, or secure long-lived private keys. The process uses a certificate authority like Fulcio to issue an ephemeral certificate after verifying the OIDC token, and the entire signing event is recorded in an append-only transparency log such as Rekor for public auditability.
Glossary
Keyless Signing

What is Keyless Signing?
Keyless signing is a modern cryptographic paradigm that binds a digital signature to a workload's ephemeral identity rather than a long-lived, manually managed private key.
This mechanism provides non-repudiation by cryptographically linking a signature to a specific build pipeline, Git commit, or service account rather than a static secret that could be stolen or shared. By removing the burden of key distribution and storage, keyless signing enables automated, high-trust software supply chain security at scale, forming the cryptographic backbone of frameworks like Sigstore and SLSA.
Core Characteristics of Keyless Signing
Keyless signing eliminates the operational burden of long-lived private key management by binding signatures to short-lived, cryptographically verifiable workload identities.
Ephemeral Key Pairs
Unlike traditional PKI, keyless signing generates a one-time-use key pair for each signing event. The private key is created, used to sign the artifact, and immediately destroyed within the same process. This eliminates the risk of long-term key exfiltration, as there is no persistent secret to steal. The public key is embedded in a certificate request and validated by a trusted authority.
OIDC-Based Workload Identity
The signing process is triggered by an OpenID Connect (OIDC) token issued by the workload's execution environment (e.g., GitHub Actions, Kubernetes). This token cryptographically proves the identity of the service requesting the signature. The Certificate Authority verifies this token and binds the ephemeral key to that specific identity, creating an auditable chain of custody from the signature back to the source code repository or deployment pipeline.
Transparency Log Immutability
Every signature event is recorded in an append-only, cryptographically verifiable transparency log (such as Rekor). This log acts as a global witness, making the signing event publicly auditable and preventing retroactive forgery. A verifier can check the log to confirm that a signature was created during the certificate's validity window and that the certificate itself was properly issued, ensuring non-repudiation.
Short-Lived Certificates
The Certificate Authority (e.g., Fulcio) issues an X.509 certificate valid for only a few minutes. This drastically reduces the window of vulnerability. Even if a private key were somehow recovered before its immediate destruction, the corresponding certificate would have already expired, rendering the key useless for future forgery. This design avoids the need for complex Certificate Revocation Lists (CRLs).
Verification via Identity
To verify a keyless signature, a policy engine does not check a static public key. Instead, it validates the chain: the artifact's signature matches the ephemeral key, the certificate chains to a trusted root, the embedded OIDC identity matches the expected workload (e.g., a specific GitHub repository), and a proof of inclusion exists in the transparency log. This shifts trust from key custody to platform identity verification.
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Frequently Asked Questions
Clear, technically precise answers to the most common questions about keyless signing, workload identity, and the Sigstore ecosystem for tamper-proof model registries.
Keyless signing is a cryptographic paradigm that binds a digital signature to a workload identity rather than a long-lived private key, eliminating the need for manual key management. The process works by having a workload authenticate to a trusted OpenID Connect (OIDC) provider to receive an identity token. This token is then presented to a certificate authority—specifically Fulcio in the Sigstore ecosystem—which issues a short-lived, ephemeral code-signing certificate bound to that specific workload identity. The artifact is signed using the ephemeral key, and the signature is recorded in a transparency log (Rekor) for public auditability. After signing, the private key is discarded, making exfiltration or compromise impossible. This mechanism ensures non-repudiation by cryptographically linking the signature to the OIDC identity of the signer, such as a GitHub Actions workflow or a Kubernetes service account, rather than a static secret that could be leaked or mismanaged.
Related Terms
Keyless signing operates within a broader ecosystem of identity, transparency, and verification technologies. These related concepts form the foundation of modern software supply chain security.
Workload Identity
The foundational concept that enables keyless signing by assigning a verifiable identity to a non-human process or service. Instead of managing static credentials, the identity is derived from the runtime environment's attributes.
- SPIFFE provides a universal identity control plane for heterogeneous environments
- OIDC tokens serve as the identity document, binding the signature to a specific CI/CD job or cloud workload
- Eliminates the need for long-lived service account keys that can be leaked or stolen
Sigstore
The open-source project that implements the keyless signing paradigm at scale. It combines three core components to replace traditional private key infrastructure:
- Fulcio: A certificate authority issuing short-lived code-signing certificates bound to an OIDC identity
- Rekor: An append-only transparency log that records every signature event, making the process publicly auditable
- Cosign: The CLI tool that signs and verifies container images and OCI artifacts using the Sigstore stack
Transparency Log
An append-only, cryptographically verifiable ledger that records the issuance of digital signatures and certificates. This is the mechanism that prevents retroactive forgery in keyless signing.
- Every signature is publicly recorded, creating a non-repudiable audit trail
- Rekor is the reference implementation within the Sigstore ecosystem
- Enables offline verification: a verifier can confirm a signature was logged without trusting the signer
- Prevents an attacker from signing malicious artifacts and later claiming the signing key was compromised
Attestation
A cryptographically signed statement that asserts a verifiable fact about a software artifact. In the context of keyless signing, attestations extend beyond simple signature verification to include rich metadata.
- Provenance attestations describe how, when, and where an artifact was built
- Vulnerability scan attestations certify that a specific scan passed against a specific artifact digest
- in-toto provides a framework for collecting signed attestations across every step of a supply chain
- Attestations are stored alongside the artifact in an OCI-compliant registry using ORAS
Software Bill of Materials (SBOM)
A machine-readable inventory of all components, libraries, and dependencies that constitute a software artifact. SBOMs are a critical companion to keyless signing for complete supply chain transparency.
- SPDX and CycloneDX are the dominant SBOM formats
- A signed SBOM attests that the inventory was generated by a trusted process and hasn't been tampered with
- Combined with a Model Bill of Materials (MBOM), this extends the same guarantees to AI model artifacts
- Enables precise vulnerability tracking by mapping known CVEs to specific component versions
Binary Authorization
A deploy-time security control that ensures only trusted, verified artifacts are allowed to run in production. Keyless signing provides the cryptographic evidence that binary authorization policies evaluate.
- Kubernetes admission controllers intercept deployment requests and validate signatures before allowing pods to schedule
- Policies can require signatures from specific identities, transparency log inclusion, or fresh attestations
- Open Policy Agent (OPA) enables flexible, context-aware authorization rules using the Rego language
- Creates a continuous verification chain from build to runtime, preventing unsigned or tampered artifacts from executing

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us