Policy Compliance with Sigstore - From Signing Software to Validating the Whole Software Supply Chain

Explore the world of software supply chain security in this 34-minute conference talk from the Linux Foundation. Learn about Sigstore, an open-source initiative designed to provide free and user-friendly software signing and verification tools. Discover how to leverage automation, CI/CD pipelines, and policy tools like OPA to make informed decisions about code acceptance across build, test, and production systems. Gain insights into Red Hat's investigations on using Sigstore, Keylime, and Tekton Chains to verify software throughout the cloud-native build and deployment process, while enforcing verified policies. Delve into topics such as Kubernetes dependencies, software supply chains, open-source security, and the importance of software signing, verification, and policy compliance in today's threat landscape.