Back To Schedule
Tuesday, October 5 • 4:30pm - 5:00pm
Policy Compliance with Sigstore: From Signing Software to Validating the Whole Software Supply Chain - Axel Simon, Red Hat

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Feedback form is now closed.
While Software Supply Chain attacks have existed for years, recent high-profile attacks have elevated the awareness of these threats. Thankfully, the open source community has been working to improve how we verify the software we deploy and rely on. In this talk, we will discuss sigstore, a new open source effort aiming to provide ubiquitous, free and easy to use software signing and verification by offering a set of tools backed by a public good service. Its goal is to make verifying the provenance of any code you want to run, up to its upstream dependencies, simple and easy. Building on this capacity to verify the provenance of software, we will look at using automation such as CI/CD build pipelines and policy tools (e.g. OPA). These capabilities will enable better informed decisions about whether to accept code on our build systems, our test systems and our production systems. Finally, we will review the ideas we have been investigating at Red Hat for using sigtore and other tools like Keylime and Tekton Chains to verify software at each step of a cloud-native software build and deployment process, enforcing a chosen policy, itself verified.

avatar for Axel Simon

Axel Simon

security and emerging tech, Office of the CTO, Red Hat
Axel is part of Red Hat's Office of the CTO, where he works on open source security as part of the Emerging Technologies team. He has worked on projects such as Enarx, Keylime and sigstore. He has studied economics, “done agile”, worked on the blockchain ecosystem, talked before... Read More →

Tuesday October 5, 2021 4:30pm - 5:00pm BST
  Policy / Process / Operations