Overview
Explore the future of code signing in the Python packaging ecosystem through this PyCon US talk by William Woodruff. Dive into the world of Sigstore, a revolutionary approach that allows package maintainers and users to sign and verify the authenticity of Python packages without the complexities of PGP. Gain insights into the cryptographic fundamentals of code signing and understand how Sigstore eliminates the need for long-term key material. Learn about the ongoing efforts to integrate Sigstore into Python packaging, including the standardization process and foundational work required for introducing a new code signing format. Discover the security model of Sigstore and the guarantees it provides for the Python packaging ecosystem. Get a comprehensive overview of the current state of Sigstore for Python, future goals, and ways to contribute to this important initiative in supply chain security.
Syllabus
Python is everywhere
let's talk about "supply chain security"
codesigning: a quick overview
codesigning for packaging ecosystems
codesigning for Python packaging: status quo
solving identity and key management with Sigstore
sunlight is the best disinfectant
Sigstore for Python: where we are
Sigstore for Python: where we want to be
Sigstore for Python: how you can help
Taught by
PyCon US