Explore the challenges and solutions for establishing trust in build provenance from userspace in this 33-minute conference talk by Billy Lynch from Chainguard. Learn how tools like Cosign, npm, and Goreleaser are enhancing package and artifact signing capabilities in CI/CD workflows. Discover the potential risks associated with generating provenance and attestations from user pipelines and understand how to build a chain of trust linking artifacts, CI configuration, and build services. Gain insights into the role of open-source technologies such as Sigstore and OIDC in enabling this trust framework. Examine what CI providers and users need to implement to establish this trust, and explore real-world examples of successful implementations for securing builds.
Growing the Chain: Trusting Build Provenance from Userspace
Overview
Syllabus
Growing the Chain: Trusting Build Provenance from Userspace - Billy Lynch, Chainguard
Taught by
Linux Foundation
Tags
Related Courses
-
Identity-based Source Integrity with Gitsign
-
Gitsign - Keyless Git Commit Signing
-
Securing the Supply Chain: A Practical Guide to SLSA Compliance from Build to Runtime
-
Road to SLSA3 - Non-falsifiable Provenance in Tekton with SPIFFE/SPIRE
-
Securing the Supply Chain: A Practical Guide to SLSA Compliance from Build to Runtime
-
Bringing Provenance to Open Source - Lessons from Npm's Sigstore Integration
