Open Source Strategy Forum London 2021

While Software Supply Chain attacks have existed for years, recent high-profile attacks have elevated the awareness of these threats. Thankfully, the open source community has been working to improve how we verify the software we deploy and rely on. In this talk, we will discuss sigstore, a new open source effort aiming to provide ubiquitous, free and easy to use software signing and verification by offering a set of tools backed by a public good service. Its goal is to make verifying the provenance of any code you want to run, up to its upstream dependencies, simple and easy. Building on this capacity to verify the provenance of software, we will look at using automation such as CI/CD build pipelines and policy tools (e.g. OPA). These capabilities will enable better informed decisions about whether to accept code on our build systems, our test systems and our production systems. Finally, we will review the ideas we have been investigating at Red Hat for using sigtore and other tools like Keylime and Tekton Chains to verify software at each step of a cloud-native software build and deployment process, enforcing a chosen policy, itself verified.