Explore the security and trustworthiness of Sigstore's keyless code signing service in this 27-minute conference talk from KubeCon + CloudNativeCon Europe 2023. Delve into the Sigstore ecosystem, examining how it protects public infrastructure while adhering to core principles of openness. Learn about the trust root, key management requirements, and the implementation of The Update Framework (TUF). Witness a live demonstration simulating a real-life compromise of critical components to test Sigstore's resilience. Gain insights into the Sigstore Community Root, initial trust establishment, ceremony operations, and root management. Discover the Sigstore TUF target layout, client usage, integration, and ecosystem. Equip yourself with knowledge to understand and trust Sigstore signatures for enhanced software supply chain security.
No Keys? No Problem - Why You Can Trust Sigstore Signatures
CNCF [Cloud Native Computing Foundation] via YouTube
Overview
Syllabus
Intro
Sigstore Ecosystem
Where are the keys?
Compromise
Trust in Services
Key management requirements
TUF introduction - continued
TUF - Example deployment
Pictures of where TUF is used
Sigstore Community Root
Initial Root Trust
Ceremony Operations
Root Management
Sigstore TUF Target Layout
Sigstore Client Usage
Client integration
Client Ecosystem
Find out more
Taught by
CNCF [Cloud Native Computing Foundation]
Related Courses
-
Zero Trust Supply Chains with Project Sigstore and SPIFFE
-
So You Want to Run Your Own Sigstore - Recommendations for a Secure Setup
-
TUF-En Up Your Signatures - Enhancing Software Distribution Security
-
Whose Sign Is It Anyway?
-
Sigstore: Using Transparent Digital Signatures to Help Secure the Software Supply Chain
