So You Want to Run Your Own Sigstore - Recommendations for a Secure Setup

Explore recommendations for securely setting up and running a private Sigstore instance in this conference talk. Delve into the motivations behind operating private Sigstore services, including availability requirements, data residency, privacy concerns, and policy controls. Examine the differences in threat modeling between public and private instances, and understand the essential requirements for operating private instances, such as managing a root trust store and ensuring security properties for private certificate authorities and transparency logs. Learn about Sigstore components like Fulcio and Rekor, artifact signing keys, transparency logs, and timestamping. Discover the challenges of key management and how The Update Framework addresses them. Gain insights into deploying Sigstore and monitoring your private instance for optimal security and performance.

Intro
Sigstore Overview - Fulcio
Sigstore Overview - Rekor
Why a Private Sigstore?
Artifact Signing Keys
Private CAs
Private Fulcio
What's a Transparency Log?
Transparency Logs in Sigstore
Do I Need Transparency Logs?
You Must Monitor!
Timestamping in Sigstore
Problems with Key Management
The Update Framework
How to Deploy Sigstore