No Keys? No Problem - Why You Can Trust Sigstore Signatures
Offered By: CNCF [Cloud Native Computing Foundation] via YouTube
Course Description
Overview
Explore the security and trustworthiness of Sigstore's keyless code signing service in this 27-minute conference talk from KubeCon + CloudNativeCon Europe 2023. Delve into the Sigstore ecosystem, examining how it protects public infrastructure while adhering to core principles of openness. Learn about the trust root, key management requirements, and the implementation of The Update Framework (TUF). Witness a live demonstration simulating a real-life compromise of critical components to test Sigstore's resilience. Gain insights into the Sigstore Community Root, initial trust establishment, ceremony operations, and root management. Discover the Sigstore TUF target layout, client usage, integration, and ecosystem. Equip yourself with knowledge to understand and trust Sigstore signatures for enhanced software supply chain security.
Syllabus
Intro
Sigstore Ecosystem
Where are the keys?
Compromise
Trust in Services
Key management requirements
TUF introduction - continued
TUF - Example deployment
Pictures of where TUF is used
Sigstore Community Root
Initial Root Trust
Ceremony Operations
Root Management
Sigstore TUF Target Layout
Sigstore Client Usage
Client integration
Client Ecosystem
Find out more
Taught by
CNCF [Cloud Native Computing Foundation]
Related Courses
Toto-Ally TUF: Simple Tools for a Secure Software Supply ChainLinux Foundation via YouTube Software Supply Chain Security Case Study at Anaconda
Linux Foundation via YouTube Securing the Container Supply Chain with Notary, TUF, and Gatekeeper
Linux Foundation via YouTube Improving Package Repository Security - From White Papers to Practice
Linux Foundation via YouTube Container Security: Supply Chain, Authorization, and Runtime Protection
Docker via YouTube