Sign, Attest, and Verify - A Practical Guide for Software Supply Chain Security

Explore a practical guide for software supply chain security in this 31-minute conference talk by Anushka Mittal and Vishal Choudhary from Nirmata. Delve into the importance of signing, attesting, and verifying artifacts in the wake of prominent attacks like SolarWinds and Log4J. Learn how the OSS community is addressing concerns related to image integrity, security, and compliance at scale. Discover the role of the OCI v1.1 Spec's referrers API in associating software supply chain artifacts with container images. Examine the Notary Project's cross-industry standards for securing software supply chains through signing, verification, signature portability, and key/certificate management. Understand how CNCF policy engines like Kyverno can leverage supply chain artifact data to apply security checks during Kubernetes cluster admission control. Gain insights into how CNCF projects such as Kyverno and Notary enhance software supply chain security, enforce image trust, and prevent untrusted image deployment, ensuring integrity, security, and compliance at scale.

Sign, Attest, and Verify! A Practical Guide for Software Supply...-Anushka Mittal & Vishal Choudhary