Zero Trust Supply Chains with Project Sigstore and SPIFFE

Explore the concept of zero trust supply chains in this conference talk presented by Andres Vega and Jake Sanders. Delve into the importance of verifying every claim in the software supply chain process, rather than inherently trusting build systems. Learn how the combination of cryptographically verifiable identities and transparency logs offers a novel approach to enhance the security of release artifacts. Discover the toolkit provided by Project Sigstore for publishing verifiable provenance about publicly distributed artifacts. Understand the roles of Sigstore Binary Transparency Log (Rekor), Keyless Signatures (Cosign), and Sigstore Certificate Authority (Fulcio) in storing, signing, and verifying metadata. Explore how SPIFFE's reference implementation SPIRE supports cryptographic operations rooted in a strongly attested universal identity control plane. Witness a demonstration of applying zero trust supply chain architecture to build systems using Sigstore and SPIRE, with TektonCD as the example build system and in-toto as the provenance format. Gain insights into creating a Federated, Verifiable, Zero-Trust Supply Chain to ensure the trustworthiness of your software development process.

Zero Trust Supply Chains with Project Sigstore and SPIFFE - Andres Vega & Jake Sanders