Explore the concept of zero trust supply chains in this conference talk presented by Andres Vega and Jake Sanders. Delve into the importance of verifying every claim in the software supply chain process, rather than inherently trusting build systems. Learn how the combination of cryptographically verifiable identities and transparency logs offers a novel approach to enhance the security of release artifacts. Discover the toolkit provided by Project Sigstore for publishing verifiable provenance about publicly distributed artifacts. Understand the roles of Sigstore Binary Transparency Log (Rekor), Keyless Signatures (Cosign), and Sigstore Certificate Authority (Fulcio) in storing, signing, and verifying metadata. Explore how SPIFFE's reference implementation SPIRE supports cryptographic operations rooted in a strongly attested universal identity control plane. Witness a demonstration of applying zero trust supply chain architecture to build systems using Sigstore and SPIRE, with TektonCD as the example build system and in-toto as the provenance format. Gain insights into creating a Federated, Verifiable, Zero-Trust Supply Chain to ensure the trustworthiness of your software development process.
Zero Trust Supply Chains with Project Sigstore and SPIFFE
CNCF [Cloud Native Computing Foundation] via YouTube
Overview
Syllabus
Zero Trust Supply Chains with Project Sigstore and SPIFFE - Andres Vega & Jake Sanders
Taught by
CNCF [Cloud Native Computing Foundation]
Related Courses
-
Zero-Trust Supply Chain Security with Sigstore, TektonCD and SPIFFE
-
The Road to SLSA4 - Applying the Sigstore Ecosystem in a Corporate Environment
-
Life of a Sigstore Signature - Understanding Code Signing for Container Images
-
Cloud Native Supply Chain Security with Tekton and Sigstore
-
No Keys? No Problem - Why You Can Trust Sigstore Signatures
-
Hands-on Introduction to Sigstore - Securing the Software Supply Chain
