Sigstore is an open-source project that aims to provide a transparent and secure way to sign and verify software artifacts. It is an initiative that is part of the Open Source Security Foundation (OpenSSF), and it aims to establish standards for software signing that are both easy to use and widely adopted.
Sigstore can sign and verify any software artifact, including container images, source code, NPM packages, and more! It provides a simple and easy-to-use API for developers, as well as command-line tools and integrations with popular software development platforms.
In this talk, we'll dive into the architecture and internals of Sigstore and keyless signing, along with the security considerations that drove the design. We'll examine how you can reuse your existing identity infrastructure to produce signed artifacts without worrying about protecting long-lived keys. We'll also examine how you can use these signatures to enforce runtime policies on signing identities.
Staff Software Engineer @Chainguard
Billy is a staff software engineer at Chainguard, working on developer tools and securing software supply chains for everyone! He is an active contributor and maintainer to the Sigstore and Tekton projects, and is the creator of Gitsign. Prior to working at Chainguard, Billy worked on several developer tool teams at Google including Cloud Build, Google Code, and Cloud Source Repositories.
Research Scientist @Chainguard
Zack is passionate about developer tooling, supply chain security, and applied cryptography. After 4 years as a software engineer and tech lead on Google Cloud SDK, he moved to MIT CSAIL to research authenticated data structures and Tor network performance. Now, as a research scientist at Chainguard, he works with the TUF and Sigstore communities to make open source more secure.