Explore the critical aspects of software security and signature verification in this informative conference talk. Delve into the common misconceptions surrounding software signing and learn why verification is crucial for ensuring true security. Discover how to properly verify software signatures and identify the right signers. Gain insights into utilizing CNCF projects like The Update Framework (TUF), in-toto, and Sigstore to enhance security for open source package repositories and internal container registries. Understand the capabilities and limitations of software signing, and learn to design effective verification policies for your projects or organizations. Explore how open source software repositories are implementing these techniques to guarantee the authenticity of downloaded code.
Verifying Software Signatures with TUF and Sigstore
CNCF [Cloud Native Computing Foundation] via YouTube
Overview
Syllabus
Not All That’s Signed Is Secure: Verify the Right Way with TUF and... Zachary Newman & Marina Moore
Taught by
CNCF [Cloud Native Computing Foundation]
Related Courses
-
Secure Transport for Your Software Supply Chain with TUF
-
TUF-En Up Your Signatures - Enhancing Software Distribution Security
-
Toto-Ally TUF: Simple Tools for a Secure Software Supply Chain
-
Design and Analyze Secure Networked Systems
-
Archivista: Using TUF to Store Policy and Verify In-toto Attestations - Demo
-
No Keys? No Problem - Why You Can Trust Sigstore Signatures
