So You Want to Run Your Own Sigstore - Recommendations for a Secure Setup

Explore recommendations for securely setting up and running a private Sigstore instance in this conference talk. Delve into the motivations behind operating private Sigstore services, including availability requirements, data residency, privacy concerns, and policy controls. Examine the differences in threat modeling between public and private instances, and understand the essential requirements for operating private instances, such as managing a root trust store and ensuring security properties for private certificate authorities and transparency logs. Learn about Sigstore components like Fulcio and Rekor, artifact signing keys, transparency logs, and timestamping. Discover the challenges of key management and how The Update Framework addresses them. Gain insights into deploying Sigstore and monitoring your private instance for optimal security and performance.