So You Want to Run Your Own Sigstore - Recommendations for a Secure Setup
Offered By: CNCF [Cloud Native Computing Foundation] via YouTube
Course Description
Overview
Explore recommendations for securely setting up and running a private Sigstore instance in this conference talk. Delve into the motivations behind operating private Sigstore services, including availability requirements, data residency, privacy concerns, and policy controls. Examine the differences in threat modeling between public and private instances, and understand the essential requirements for operating private instances, such as managing a root trust store and ensuring security properties for private certificate authorities and transparency logs. Learn about Sigstore components like Fulcio and Rekor, artifact signing keys, transparency logs, and timestamping. Discover the challenges of key management and how The Update Framework addresses them. Gain insights into deploying Sigstore and monitoring your private instance for optimal security and performance.
Syllabus
Intro
Sigstore Overview - Fulcio
Sigstore Overview - Rekor
Why a Private Sigstore?
Artifact Signing Keys
Private CAs
Private Fulcio
What's a Transparency Log?
Transparency Logs in Sigstore
Do I Need Transparency Logs?
You Must Monitor!
Timestamping in Sigstore
Problems with Key Management
The Update Framework
How to Deploy Sigstore
Taught by
CNCF [Cloud Native Computing Foundation]
Related Courses
Securing Your Software Supply Chain with SigstoreLinux Foundation via edX Hands-on Introduction to Sigstore - Securing the Software Supply Chain
Rawkode Academy via YouTube Protecting the World's Greatest Open Source Ecosystem with Sigstore
Devoxx via YouTube PGP vs Sigstore - The Match at Maven Central
Devoxx via YouTube Securing Your Infrastructure as Code Pipeline
Linux Foundation via YouTube