Sigstore - How We Learned to Stop Trusting Registries and Love Signatures

Explore a 22-minute conference talk that delves into InfluxData's journey of implementing container image signing for their SaaS offering. Learn how the company integrated this security measure across approximately 100 different container images deployed on numerous Kubernetes clusters in major cloud platforms. Discover the motivations behind this initiative and its expected outcomes from both DevOps and security team perspectives. Follow InfluxData's roadmap from having no image signing to implementing partial checks, and finally requiring signed images for all critical workloads. Gain insights into the challenges of managing over 50 microservices with images built multiple times daily through CI/CD processes. Understand the nuances of signing various image types, including open-source images from internal teams and those provided by other companies. Dive into technical details of secure image signing implementation across multiple CI/CD systems and key management strategies. Explore plans for addressing security issues, including regular key rotation and updating image signatures while invalidating older public keys.

Sigstore Or: How We Learned to Stop Trusting Registries and Love Sig... Wojciech Kocjan & Tyson Kamp