►
Description
Chainguard Enforce: https://www.chainguard.dev/chainguard-enforce
Blog with all URLs and insights: https://everyonecancontribute.com/post/2022-05-10-cafe-51-first-look-chainguard-enforce-software-supply-chain-security/
Request a demo at https://www.chainguard.dev/chainguard-enforce
TOC
00:00 Introductions
3:04 Introduction to Software Supply Chain Security
5:00 Introduction to Chainguard Enforce
9:55 Demo: GitLab repo with a webserver which gets deployed as container image in the pipeline
12:00 cosign verify - unsiged image
13:20 chainctl SaaS login to load default image policy
15:10 Chainguard Enforce custom policy for GitLab deployment
17:00 Chainguard agent install, light-weight to observe & enforce
23:00 Update GitLab CI/CD config to build & sign the image
28:20 Deploy and verify the signed image
31:30 Observing - now enforcing the policies, verify the signatures and identities
36:00 Other types of policies for Enforce
36:50 Why Chainguard Enforce
37:30 Questions, answers, discussions
56:33 KubeCon EU outlook - join Carlos with the SIG Release Update on "Releasing Kubernetes Less Often and More Secure"- https://twitter.com/dnsmichi/status/1524080403405017089
A
B
B
B
B
Of
this
talk
is
just
to
be,
I'm
gonna
speak
a
little
bit
and
then
I'm
gonna
do
like
a
demo
like
we're
gonna,
be
like
not
a
complex
demo,
but
like
just
a
simple
one,
to
explain
how
things
works
and
then
later
on.
If
like
people
can
ask
questions
and
like
for,
I
would
say
for
more
in-depth
demo,
we
can
maybe
schedule
one-on-ones
to
do.
That
sounds
good.
B
Then,
let's
start
what's
the
the
chain,
one
it's
a
company
and
then
we
have
a
software
like
a
system,
an
application
or
whatever
you
want
to
call
that.
That's
we
call
it
the
inforce,
but
before
we
jump
on
that,
like
let's
see,
what's
the
problem
of
the
supply
chain
security,
we
have
that's
become
like
a
hype
everybody's
talking
about
that
right
and
it
becomes
like
very
like
in
the
news
and
all
the
stuff
like
last
last
year
with
the
some
attacks
at
the
I
forgot,
the
name
of
the
company
solar.
B
And
that
was
like
a
really
bad
thing
that
happens
and
for
some
numbers
we
saw
like
there
is
a
lot
of
increasing
in
attacks
over
the
last
year,
and
that
is
a
life
like,
as
we
can
see
from
gartner
there's
like
some
experiencing
like
three
3x
increasing
like
size
2001
like
there's.
A
lot
of
attacks
on
that.
Like
people
saw
that
can
somehow
attack
and
if
you
think,
like
there's
a
large
project
out
there
and
they
are
using
like
no
like
publishing,
sometimes
secrets
publishing.
B
Sometimes
a
week
weekly
like
a
week,
pipelines
that
the
people
can
just
so
we
meet
a
pull
request
and
maybe
change
those
things
and
to
fix
that.
Like
there's,
no
single
fix
that
we
need
to
fix
like
across
the
pipeline,
and
we
have
like
some
frameworks
to
to
help
on
on
that
like
as
well
like,
for
we
have
the
salsa
one
slsa.
B
B
And
then
you
generate
some
policies
for
you
like
for
your
for
you
for
your
company,
for
if
you
have
like
a
set
of
clusters,
I
would
say
you
have
one
cluster
for
the
team
finance
another
for
the
marketing
and
so
one
that
we
can
have
different
policies
for
different
teams.
We
can
have
like
one
high
level
policy
for
the
entire
company,
and
then
it
enforce,
like
can
be
used
also
to
generate
bones.
B
Okay:
okay,
here
the
idea
of
the
chain
guarding
force
is
like
the
we
draft
the
policy
like
our
organizational
policy
like,
for
example,
we
should
only
deploy
signed
inmates
and
that's
going
to
be
like
we
can
define
from
where,
like
which
registry
from
which
sign
there
from
which,
which
make
sure
you
can
define
those
things
and
that
we
can
observe
like
you,
can
monitor
in
the
compliance
of
those
policies
and
then
like,
for
example,
like
there's.
No,
you
may
sign
it.
The
one
appears
in
the
in
the
report
and
then
let's,
for
example,
you
act.
B
You
improve
the
automation
and
compliance.
For
example,
you
want
the
signing
step
on
your
ci
cd
pipeline
and
then
like
in
the.
In
the
end,
you
can
like
enable
the
enforcement.
That
means
if
your
image
is
not
signed
by
the
specific
issue.
For
example,
it's
not
going
to
be
deployed
in
your
cluster
and
then
this
you
can
have
like
a
sequel,
a
cycle
of
like
feedback
loop
as
well.
B
E
B
We
can
validate
like,
for
example,
if
there
is
a
key
multi
hardware
keys
for
approval
before
deploying
the
the
containers
like
people
should
be
going
and
approve
by
using
the
hardware
key
this,
if
you
think,
is
more
for
like
restricted
environments
like
maybe
for
department
of
defense
or
others,
but
it's
a
nice
things
to
have
as
well.
For
example,
you
can
have
like
a
approved
independence
that
can
be
allowed
to
be
deployed
based
images
from
your
container.
B
If
that
base
image
differ
from
the
base
image,
that
is
in
the
policy
it's
not
going
to
deploy.
Only,
for
example,
we
only
approve,
let's
say,
for
example,
an
alpine
version,
one
two
three,
but
if
you
get
alpine
latest,
not
it's
gonna
block
it
then,
for
example,
and
deny
you
to
build
and
deploy
things
we
also
can
like
use.
Ems
integrations
with
the,
for
example,
aws
kms
on
others,
and
you
you,
we
can
have
like
custom
integrations
as
well.
B
Okay,
let
me
stop
sharing
here,
and
I
think
I
don't
know
if
it's
I'm
gonna
be
a
lot
of
sharing
to
not
share
wrong
things
here.
First,
I'm
gonna
share
the
gitlab
repository
for
the
demo.
We
have
I'm
gonna
just
quickly
show
this
is
the
application
we're
gonna
build
it's
very
simple:
there's
nothing
like
fancy.
It's
just
like
a
simple
web
server.
B
Listening
on
one
specific
port
that
will
reply
things
and
that's
it,
and
here
we
have
a
gitlab
ci
pipeline.
I
hope
everybody
can
see
right,
yep,
okay
for
now
like
to
make
it
easier
for
us
to
like
not
writing
everything.
I
comment
out
the
signing
part,
but
we
have
here
for
now
two
states
the
build
one
and
the
release
one.
The
build
one
is
building
that
application.
Like
that
code,
we
saw
before
using
ko
for
building
the
the
image
container
and
it
also
pushed
to
to
the
gcr
for
that.
B
In
our
case,
we
are
pushing
everything
to
google
cloud
project.
We
have
script
and
this
builds
the
image
and
then,
in
the
deploy
part,
it's
gonna
get
that
image.
We
just
build
it
and
deploy
in
our
running
cluster.
For
example,
imagine
this
is
your
development
work
and
then
every
every
time
like
we
open
our
merch
requests,
people
approve
and
we
merge
that
merge,
request,
we're
going
to
trigger
this
pipeline
and
going
to
deploy,
in
our
let's
say,
test
environment
for
example,
or
even
deploy
on
production.
B
B
And
running
that
that
is
no
matching
signatures.
That
means
I
we
don't
have
any
signatures
like
we
when
we
built
that
image.
We
didn't
sign
that
okay
now
the
idea
is
we're
gonna,
deploy
our
enforce
agent
on
this
cluster
here,
which
we
don't
have
anything
right
now.
We
just
have
our
our
the
demo
app,
and
in
this
case
also,
we
have
our
gitlab
render
for
that
that
we,
like
only
use
that
runner
to
run
for
that
specific
pipeline,
and
there
are
other
applications
for
the
system.
B
B
D
B
D
B
F
F
B
B
The
other
part
here
is
we're
gonna,
add
this
authority
here
the
keyless
should
be
like.
It
should
point
you
to
the
fusio.
The
identities
should
be.
The
issue
in
this
case
should
be
accounts.google.com
and
the
subject
should
be
the
search
account.
We
have
defined
it
if
we
use
another
subject,
for
example,
to
sign
the
the
image
the
policy
gonna
complain
and
then
we
can
check
it
out
and
then
maybe
not
al.
If
we
start
the
enforcing
the
policies,
that's
gonna
be
rejected.
B
B
B
B
Of
course,
if
you
like
have
like
a
huge
cluster
with
like
a
dozen
thousands
of
policies,
it
might
consume
a
lot
of
things,
but
the
idea
we
are
working
is
like
to
consume
less
and
less
resources
from
the
cluster
that
you
are
installing.
That
means
you're
not
gonna,
see
much
consumed
consumption
from
this
agent.
B
If
now
we
I'm
gonna,
take
a
let's
take
a
look
on
the
clusters
that
we
have
there's
a
lot
of
clusters
here
and
in
our
case
our
is
this
one.
Here
that
is
already
collected
matrix,
we
can
see
that
the
version
of
the
kubernetes,
which
is
the
version
of
our
agent
running
and
we
can
see
other
informations
as
well.
B
B
This
is
the
that
we
applied
the
policy
that
only
accepted
the
coming
from
image,
sign
it
from
the
chainwalk
demo
registry
and
coming
from
those
specific
authorities-
and
this
is
the
image
we
saw
before-
is
not
signed
it
right
and
the
demo
policy
it
it's
failing
here,
as
we
can
see
here.
This
is
failing,
but
the
if
we
take
a
look,
it's
still
running,
because
we
didn't
enforce
like
that
policy.
We
are
just
observing
right
now,
the
the
policy.
F
F
B
B
B
A
B
B
B
C
F
F
Now
this
is
the
tool
for
supply
chain,
which
is
almost
of
the
same,
applying
policies,
various
policies
to
the
communist
environment
right.
So
how
and
why
this
is.
We
call
like
specially
for
supply
chain
how
how
it
is
kind
of
because
we
are
conducting
here
for
supply
chain
and
that's
why
it
is
for
that's
my
understanding.
I
mean
yeah,
the.
B
B
The
idea
like
in
this
demo,
I'm
going
to
be
very
simple,
like
we
just
want
to
talk
about
the
signing
part,
but
also
in
force,
can
like
look
on
the
the
bill
of
materials
of
your
container
and
generate
a
report
on
that
and
say,
for
example,
you
are
using
a
base
image
to
build
your
container
that
contains,
let's
say
four
high
or
critical
cvs
that
are
gonna
alert
you
and
then
you
can
locate.
That's
some
problem.
F
In
fact
to
go
to
your
slides,
I
just
saw
this
first
second
slide.
I
believe
you
pointed
out
all
the
features
so
like
that's
with
due
respect,
I'm
not
complaining
or
I'm
not
commenting.
I
really
want
to
understand
that
how
it
is
different,
because
every
tools
today
cloud
native
security
tools
they
pretty
much,
do
the
same.
Like
all
the
features
what
users
showed.
F
I
just
want
to
understand
what
how
how
do
you
compare
yourself
with
all
those
tools
and
what
extra
you're
doing
for
this
cloud
cloud
native
applications
for
this
supply
chain
applications
or
our
data?
How
is
different
and
why
it
is
special.
I
just
that's
honest.
That's
my
honest
task.
Actually,
it
is
not
to
actually
really
asking
a
question
or
challenging
you
not
okay,.
B
B
Our
focus
here
is
more
on
the
supply
chain.
Things
like,
for
example,
when
you
build
on
a
on
the
container
it
you're
gonna
check
we're
gonna
check.
What's
the
dependency
on
that
your
application,
the
dependencies
in
the
container
and
show
out
all
this
stuff,
and
then
we
can
enforce
some
fixed,
for
example,
if
we
are
using
a
specific
dependency,
you
can
allow
only
that
specific
dependence
to
be
deployed
in
your
cluster,
for
example,.
B
Later,
okay,
I
think
going
back.
Okay,
everything
was
deployed
and
then,
if
we
take
a
look
here,
we
signed
a
container
as
well,
and
this
is
using
the
the
gitlab
oidc
token.
But
we
cannot
use
that
one
to
sign
the
containers
right
now,
because
gitlab
doesn't
have
some
specific
fields
that
the
cosine
2
needs
to
sign
that
we,
but
we
are
using
that
token
to
sign
to
get
the
credentials
and
stuff
for
the
google
cloud.
B
C
A
F
D
B
Yeah
and
it's
the
same
okay
now
we
we
are
in
the
stage
that
we
are
just
like
monitoring
right.
We
are
just
seeing
if
the
the
things
we
define
in
the
policy
is
like
matching
or
passing
or
failing,
and
in
this
case
now
it's
passing
now.
The
next
step
for
us
is
like.
We
are
good
with
this
policy
and
then
now
we
are
gonna.
B
B
Example,
app
and,
let's
say,
for
example,
we
want
to
to
deploy
like
I'm
a
developer
and
like
need
to
deploy
quickly
a
container
to
try
out
whatever
I
need
to
try
out
and
that
container
is
not
sign
it
and
I
try
to
run
the
let's
say
they
made
ubuntu.
That's
the
simple
stuff.
Like
the
admission.
Now
it's
going
to
that
policy
checking
the
part
that
this
image
is
not
silent.
B
B
I
want
to
deploy,
for
example,
the
digital
as
busy
box
is
silent,
but
different
authorities
like
remember
like
we
when
we
create
the
demo
policy.
We
set
some
specific
issue
and
subject
and
this
for
this
image
here
they
have
a
different
issue
and
a
different
subject
by
the
policy.
If
we
deploy
in
this
namespace
also,
it
should
block
as
well,
and
it
complains
here,
there's
no
matching
signatures
and
non-matched
identities.
B
That
means
now
we
like
complete
the
cycle
we
saw
in
the
in
the
presentation
that
we
like
define
the
policy
we
observe
we
act
on
that
like
to
improve
our
pipeline,
in
our
case,
adding
the
signing
and
then
like.
We
are
going
to
like
start
enforcing
things
and
then
stopping
like
deploying
the
image
that
is
not
signed
in
this
case
with
different,
like
with.
We
cannot
deploy
in
this
name
space
image.
B
That's
not
signed
with
the
specific
keys,
and
this
is
a
simple
one
like,
for
example
like,
as
I
mentioned,
and
you
saw
in
the
presentation,
we
can
enforce
policies
that,
if
the
deal
of
material
contain
a
specific
dependency
that
is
under
a
version
one
two.
Three,
for
example,
we
can
start
blocking
those
things.
B
For
example,
we
can
distribute
the
policies
for
like
for
the
team
a
and
then
we
we
can
go
distributing
the
policies
like
from
the
top
to
bottom,
or
you
have
a
specific
policy
for
the
data
science
here
on
team,
one
two
three
and
then
in
the
end
we
can
summarize
everything
is
all
your
clusters
is
compatible
like
matching
the
policies
and
we
can
have
multiple
types
of
deployment.
We
can
have
one
managed
by
us
and
also,
if
you
want
to
manage
by
yourself,
you
can
deploy
the
chainwhite
services
in
your
cluster
as
well.
B
E
A
bit
of
a
use
case
question
and
thanks
carlos
it's
really
nice
to
meet
you.
Obviously,
I'm
a
bit
of
a
fan.
I
bumped
into
the
chain
guard
team
on
day,
one
last
year
at
kubecon
and
kind
of
stayed
close
from
there.
So
when
I'll
give
you
a
customer
use
case-
and
you
tell
me
where
chainguard
fits
because
my
colleague
ponch,
he
was
asking
some
some
questions
with
regards
to
commercial
viability
and
just
understanding
where
the
market
is
so.
E
My
question
is:
I
had
a
customer
maybe
two
years
ago
that
effectively
was
compromised
by
a
software
supply
chain
attack,
one
of
their
java
developers
brought
in
a
malicious
package
from
maven
and
the
application
the
component
went
into
the
the
pipeline.
It
was
a
jenkins
pipeline
running
at
aws
that
that
component
ended
up,
including
a
piece
of
malware
for
crypto
jacking
from
there,
the
crypto
jacking
malware
consumed
compute
resources
in
amazon,
which
then
they
found
out
about
it
through
a
bill
right.
They
got
a
bill
in
the
mail.
E
That
said
this
is
30
000
and
they
started
asking
questions.
Why
did
our
bill
increase
this?
Much
so
to
the
question
of
obviously,
a
cic
and
devsecops
pipeline
includes
a
lot
of
phases,
but
I
think
ponch
was
trying
to
understand
how
does
or
if
does
a
chain
guard
address,
that
type
of
use
case?
How
does
it
kind
of
ensure
that
the
package
is
signed
and
that
there's
kind
of
a
block
in
terms
of
that
component
or
that
package
from
a
kubernetes
perspective.
B
Yeah
good
question:
I
want
to
try
to
answer
like,
for
example,
as
we
saw
in
the
demo
you
can
like
you
have.
We
are
like
in
this
demo
and
that
enforces
only
one
part
of
the
the
all
this
the
chain
right
and
if
you
already
built
your
application-
and
let's
say,
as
you
mentioned
like
was
in
a
jinx
pipeline
that
somehow
the
malicious
code
went
there
and
then
just
propagating
your
container,
maybe
or
in
your
package
java
package.
B
When
you
deploy
that
in
the
in
the
environment,
we're
gonna
like
you,
can
have
some
policies
that
say
that's,
maybe
you
can
define
okay,
I
have
my
application.
Those
are
the
dependencies
I
accept
right
and
then
you
can
create
a
policy
for
that
and
say.
Okay,
then
I'm
deploying
this
container
at
one
two
three
and
I'm
gonna
check
the
bill
of
materials
of
this
container
and
then,
if
there
is
something
that
is
not
matching
that
against
my
policy,
the
first
policy
can
be
like
it's
silent,
yeah
best.
The
second
policy
can
be.
B
Does
the
base
image
match
with
the
base
image
I'm
expecting
like
can
be
in
like
specific
digest,
right
right
or
if
the
base
mage
is
silent
as
well
like?
We
can
take
a
look
on
that
and
the
next
is
this
policy
we
can
set.
Okay,
all
those
things
pass.
It
now
we're
gonna,
take
a
look
on
the
dependencies,
those
dependencies
matching
the
the
versions
I'm
waiting
for
that
match
the
hashes
I'm
waiting
for
okay,
there's
a
new
dependency
here.
That
is
not
matching
my
policy.
B
F
I
actually
my
question
is
little
different.
I
my
question
is
not
related
to
technology,
but
the
use
cases
do
do.
Does
this
tool
like
have
any
pre-knowledge
of
supply
chain
and
show
that
it
like
I,
I
was
thinking
that
it
has
got
some
ai
stuffs
which
actually
talk
or
you
previously.
Your
company
has
got
some
knowledge
about
supply
chain
so
that
you
provide
that
information
prior
to
applying
the
policies
so
because
this
is
supply
curve.
Our
chain
guard.
F
So
I
because
this
is
when
we
were
talking
technology
every
I
have
used
by
the
way
prisoner
cloud
in
my
carrier.
So
that's
why
I
said:
how
does
this
different?
Technologically,
I
think
every
tool
some
does
something
extra.
Some
does
something
right
in
every
degree,
detail
tools.
They
do
similar
things
so
because
this
is
chain
word.
So
I
was
thinking
that
do
you
have
any
kind
of
ai
applied
to
it
so
that
it
does
specifically
better
than
others
in
the
supply
chain.
F
Yeah
some
companies,
because
they
have
previously-
I
have
seen
in
my
career
that
some
companies
they
do-
have
the
business
knowledge
of
particular
like
supply
chain.
I
I
know
a
company
which
they
had
a
particular
insurance
sector.
They
were
a
business
outsourcing
company,
so
they
have
a
lot
of
business
knowledge,
so
they
created
a
tool
because
they
have
the
knowledge
of
that
particular
domain.
F
So
I
was
thinking
that
maybe
your
company
has
got
a
special
domain
knowledge,
so
that-
and
you
know
how
the
security
works
of
cloud
native,
so
you
combine
both
to
form
a
company
or
product
called,
maybe
chain
guard
which
does
specifically
special
security
needs
of
gender
supply
chain.
I
wanted
to
understand
that.
What
is
that
like?
What
exactly
you
do
towards
supply
chain,
rather
than
any
generic
cloud
native
security
tool?
F
Does
the
same
you
apply,
you
create
the
policies,
you
apply,
the
policy,
you
scan
the
images
and
in
the
cicd
pipeline
you.
Obviously,
if
you
apply
to
three
products,
every
tool
does
something
different
and
you
they
are
specialized
in
something.
So
what
is
your
specialization
by
the
way?
My
name
is
panseleshwara.
I
am
from
pure
storage.
I
work
with
adam
here,
so
we
we
are
also
cloud
native
companies,
so
we
are
in
the
same
space.
B
I'm
sorry
but
there's
some
stuff.
I
cannot
comment
yet
because
it's
not
like
totally
public,
but
I
would
say
if
you
want
to
like
to
to
learn
more
like
you
can
like,
send
us
a
message
and
then
we
can
have
like
a
more
business
call
properly.
Then
we
can
do
discuss
some
internals
better
with
you,
but
I
would
say,
like
we
have
some
knowledge
on
those
things
and
then
we
can
apply
things
for
you.
Yeah.
F
That's
I'm
I'm
not
asking
all
the
proprietary
knowledge,
of
course,
but
I'm
if,
if
I
want
to
like
okay
talk
to
somebody,
somebody
asked
me
this
question:
okay,
how
it
is
different
than
any
other
tool.
So
that
should
be
a
public
knowledge.
I
believe
how
it
is
different
than
prisma
or
how
are
you
different
than
sysd
how
how
is
different
than
other
tools,
so
some
competitive
analysis.
A
I
think
that
would
be
a
great
update
for
the
website,
maybe
in
the
future
yeah,
when
more
more
questions
like
this
come
up,
you
can
put
it
up
on
the
website,
have
a
comparison,
metrics
or
whatever
is
needed
to
to
satisfy
the
the
need
for
for
answers.
In
that
regard,
I
think
carlos
cannot
answer
them
now,
so
it
would
just
make
sense
to
delay
that
into
might
be
a
one-on-one
or
yeah.
Maybe.
A
B
Cubicom
is,
is
there
like
there's
some
stuff
we
are
preparing
for
our
cubicle
and
we're
gonna
have
like
show
some
like
videos
and
more
in-depth
stuff
for
now,
there's
some
stuff.
I
cannot
comment
and
I
would
say
the
the
thing
you
can
do
with
the
enforce
tool
is
like.
This
is
just
a
simple
one.
You
can
do
much
more
things
that
okay.
F
F
C
Okay,
probably
I
have
some
questions,
but
I
will
start
with
this.
I
think
with
a
simple
one.
So
we
talked
about
software
bill
of
materials
right.
So
what
are
the
current
standards
that
are
supported?
So
I
mean
currently
we
at
our
company
we
using
cyclone
dx
so
for
generating
the
s-bomb
right.
Is
there
also
possible
to
go
into
the
spd-x
yeah.
B
B
And
if
I
generate
one
to
generate
s
boom
using
two,
let's
say
a
and
try
to
verify
that
with
another
two
b
that
sometimes
doesn't
match.
But
we
are
like,
as
a
community.
We
are
working
to
like
in
towards
this
like
having
like
a
if
I
generate
spdx
with
using
2a.
If
it
generates
spdx
with
a
2b,
they
should
match
right
today,
sometimes
doesn't
match.
B
C
B
A
B
B
The
keys
like
you
don't
need
rotate
stuff,
which
is
sometimes
is
good,
but
also,
if
you
want,
you
can
use
cosine,
for
example,
with
a
hardware
key
for
my
my
personal
projects.
I
have
a
hardware
key
that
I
sign
my
containers
using
the
the
ub
key
and
you
can
use
also
tms,
like
from
any
cloud
provider
like,
for
example,
hash
copy
found
to
generate
the
keys
for
you,
and
then
you
can
use
that
to
site.
C
B
Used
some
tools
from
six
star
like,
for
example,
both
side
to
sign,
and
we
have
recoil
and
fusion
to
to
generate
the
the
keys
and
the
required
to
to
store
the
the
transparent
logs.
That
means
with
everything
we
sign,
we
push
to
the
to
the
logs
and
then
we
it's
public
available.
We
can
match
those
things.
B
B
C
C
Go
ahead:
ask
okay
yeah
then,
regarding
I
would
go
back
to
the
s-bomb
topic.
So
what
would
be
the
optimal
flow
in
terms
of
generating
those
s-bombs?
So
would
it
be
best
practice
in
terms
of
generating
the
s-bomb
directly
with
your
soul
stored
then
package
it
into
your
container
and
then
it
will
be
signed
or
you
do
it
the
other
way,
generating
two
s-bombs
so
drain
it
first
for
the
source
code
and
then
afterwards
also
for
the
container,
so
that
I
also
can
catch
up
the
package
dependencies
from
the
container.
B
You
build
all
those
things
and
then
you
can
use
cosine
to
attach
those
s-bombs
in
the
container
image
as
well.
And
then
you
sign
the
container
image
with
everything
or
you
also.
You
can
sign
their
only
desk
phone
for
my
source
code.
I
can
sign
the
for
my
binary,
for
example,
where
I
can
sign
my
s
ball
for
my
container
image,
but
usually
like
people
just
attach
those
things
and
push
together
with
the
container.
C
Okay,
yeah,
that's
true!
So
pretty
awesome,
it's
interesting.
So
I
also
now
I
got
involved
into
more
technical
way
so
with
cosine,
which
current
signing
methods
are
currently
supported,
so
crypto
signings,
because
the
idea
that
I
have
currently
behind
it.
So
I
work
in
a
company.
We
do
know
a
little
bit
blockchain
and
we
have
like
decentralized
identifiers
and
they
can
be
stored
like
on
the
theme
on
btcr,
so
on
the
typical
bitcoin
blockchain
and
mostly
what
you
have
there.
C
B
B
C
C
B
E
A
B
Awesome
if
I
have
a
spacer
like
I'm,
going
to
speak
as
well
there,
but
for
the
sig
release
update
it's
going
to
be
on
wednesday
midday.
I
guess,
and
if
you
want
to
hear
the
updates
for
sig
release
and
the
release
of
kubernetes,
that
we
did
in
the
last
cycle,
for
example,
signing
the
containers
and
generating
the
bureau
of
materials
for
kubernetes.
You
like
to
welcome
you.
There.
B
And
now,
just
like
giving
like
a
sneak
peek
of
the
talk,
the
work
we
did
like
signing
the
kubernetes
releases.
Now
it's
available
for
all
the
projects
under
the
kubernetes
community.
Every
project
that
uses
the
promotion
process
like
promoting
the
image
from
the
staging
environment
to
the
production
one
is
getting
cited
as
well.
For
example,
there
all
the
cluster
api
images
for
the
providers
and
the
cluster
api
is
getting
signed,
any
other
like
tool
that
is
generated
by
the
the
community
gonna
be
signed
as
well.