Overview
Explore how Lockheed Martin integrates Sigstore capabilities in a local environment to enhance software supply chain security. Learn about the company's approach to creating internal Kubernetes deployments of Sigstore utilities, using internal certificate authorities and trust roots within identity providers. Discover the implementation of AWS Key Management Service for signing and the use of reusable Gitlab pipelines to streamline interactions with internal Oauth providers and simplify cosign tool usage. Gain insights into the reasons behind this approach, unique implementation details, and future plans to meet Executive Order 14028 requirements in an affordable and robust manner. Understand the importance of open-source solutions in addressing challenges related to licensing, dependencies, and vulnerabilities in software development.
Syllabus
Leveraging Sigstore Capabilities in a Local Environment - Chad Coleman, Lockheed Martin
Taught by
OpenSSF