So You Want to Run Your Own Sigstore - Recommendations for a Secure Setup
Offered By: CNCF [Cloud Native Computing Foundation] via YouTube
Course Description
Overview
Explore recommendations for securely setting up and running a private Sigstore instance in this conference talk. Delve into the motivations behind operating private Sigstore services, including availability requirements, data residency, privacy concerns, and policy controls. Examine the differences in threat modeling between public and private instances, and understand the essential requirements for operating private instances, such as managing a root trust store and ensuring security properties for private certificate authorities and transparency logs. Learn about Sigstore components like Fulcio and Rekor, artifact signing keys, transparency logs, and timestamping. Discover the challenges of key management and how The Update Framework addresses them. Gain insights into deploying Sigstore and monitoring your private instance for optimal security and performance.
Syllabus
Intro
Sigstore Overview - Fulcio
Sigstore Overview - Rekor
Why a Private Sigstore?
Artifact Signing Keys
Private CAs
Private Fulcio
What's a Transparency Log?
Transparency Logs in Sigstore
Do I Need Transparency Logs?
You Must Monitor!
Timestamping in Sigstore
Problems with Key Management
The Update Framework
How to Deploy Sigstore
Taught by
CNCF [Cloud Native Computing Foundation]
Related Courses
Toto-Ally TUF: Simple Tools for a Secure Software Supply ChainLinux Foundation via YouTube Software Supply Chain Security Case Study at Anaconda
Linux Foundation via YouTube Securing the Container Supply Chain with Notary, TUF, and Gatekeeper
Linux Foundation via YouTube Improving Package Repository Security - From White Papers to Practice
Linux Foundation via YouTube Container Security: Supply Chain, Authorization, and Runtime Protection
Docker via YouTube