►
From YouTube: Sigstore Community Meeting - June 8, 2021
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
B
A
Great
okay,
so
welcome
everybody
to
the
six
store
community
meeting.
I
shall
share
the
agenda
if
you
don't
have
the
agenda.
Okay,
the
best
thing
to
do
is
rather
than
grant
access
to
the
doc
is:
go
to
sigstor
github.com
community
and
in
there
you'll
see
a
google
calendar.
Invite
if
you
click
on
that
it
will
populate
a
calendar
entry
for
you
and
then,
if
you
go
via
that
entry
to
the
community
meeting
minutes,
it
will
automatically
grant
you
access.
So
that's
that's
the
best
way
to
to
get
access
to
the
minutes
right.
A
Let's
share
this.
A
Okay,
so
yeah,
please
add
your
name
if
you
can
and
there
is
an
agenda
there,
if
you
want
to
get
anything
in,
that's
prudent
to
be
discussed.
Please
do
add:
let's
kick
off
so
off
sales.
Do
we
have
an
office
house
this
week?
Do
you
plan
to
do
anything
down
until.
A
Okay
and
so
yeah,
we've
also
got
our
six
store
key
signing
ceremony
event,
that's
going
to
be
happening
and
it's
going
to
be
broadcasted
live
and
I
think
it's,
the
18th.
Isn't
it
dan.
A
C
A
A
Awesome,
so
if
you
don't
know
what
that's
about
the
the
link
in
the
community
doc
will
take
you
through
to
a
blog
post,
that
dan
wrote
that
describes
that,
but
essentially
there's
going
to
be
five
individuals
that
have
all
got
two
uv
keys
and
then
we're
going
to
do
a
tough
style
co-signing
to
create
the
the
root
keys
for
key
limes
straight
wrong
project
for
six
stores,
infrastructure
so
and
that's
gonna
be
broadcasted
live
the
key
sign-in
is
actually
going
to
be
all
of
the
tough
sign-in
materials
are
going
to
be
in
a
repository,
so
we're
going
to
encourage
people
to
fork
that,
as
a
kind
of
like
a
sort
of
a
transparent
form
of
us
sort
of
being
accountable
for
what
we've
done
so
to
say
for
this
being
transparent.
A
So
it's
pretty
exciting
stuff.
Okay,
if
a
lightning
presentation
is
that
you
dev.
D
Yes,
siree
hello,
everyone,
I'm
gonna,
make
this
as
quick
as
we
possibly
can.
So
I'm
going
to
share
my
screen
and
oh
it's
asking
me
if
it's
okay
to
take
off.
D
Lovely,
thank
you
very
much.
Okay,
so
you
know
some
of
you
on
the
court
will
know
who
we
are,
what
we're
doing
some
of
you
won't
as
quickly
as
I
possibly
can.
We
have
been
working
with
google
and
red
hat
over
the
last
four
weeks
to
try
and
understand
some
things
about
how
to
grow
sigstor.
We
could
say
lots
of
things
about
it.
There's
lots
of
ways
to
sort
of
talk
about
what
we're
doing,
but
I
will
just
crack
on.
D
This
is
our
final
presentation
or
actually,
this
is
a
redux
of
our
final
presentation.
This
will
the
final.
The
full
presentation
will
be
available
to
everybody
to
to
read,
there's
quite
a
lot
of
it
and
we
welcome
feedback,
and
you
know
once
people
have
digested
it,
but
for
right
now
we're
just
going
to
give
you
a
super
quick
top
line.
D
If
any
of
it
sounds
a
bit
out
of
context
or
like
what
the
hell
is
this
and
why
the
hell
is
this:
it's
probably
because
the
full
document
kind
of
takes
you
through
the
picture.
But
what
are
we
trying
to
do
so?
The
goal
of
the
four
weeks
for
us
was
to
look
at
ways
to
improve
the
adoption
of
six
people.
D
What
we've
tried
to
do
in
this
particular
document,
which
summarizes
everything,
is
answer
a
few
of
these
questions.
Thank
you,
luke.
For
this
first
question.
We
sort
of
basically
stole
that
coffee.
How
do
we
get
people
to
take
their
vitamins
right
thinking
of
a
security
product
as
a
vitamin?
How
do
we
get
people
to
take
them?
How
to
make
it
easy
to
do?
How
do
we
promote
the
benefits
of
these
kinds
of
things
and
then
there's
a
kind
of
a
key
question
for
six
star
in
the
community
about
what
you
need
to
do?
D
First,
what
should
you
do
next,
there's
so
many
things
you
could
do
to
kind
of
grow
it
to
get
it
out
in
the
world.
So
it's
a
question
of
like
ordering
it
a
little
bit.
So
we
try
to
answer
those
questions
we'll
try
to
answer
it
by
jumping
forward
into
the
future
a
little
bit
to
look
at
what
do
we
want
the
future
of
sigstor
to
be
like
what,
where
could
the
safety
of
supply
chains
actually
be?
D
In
a
few
years
time,
how
all
of
this
has
come
together
for
us
is
several
weeks
of
interviewing
people
that
may
or
may
not
be
associated
with
this
sort
of
technology
with
this
sort
of
product
trying
to
understand
their
needs,
wants
behaviors
and
how,
if
we
meet
those
needs
and
wants,
and
whatever
else,
if
we,
if
we,
if
we're
able
to
meet
those
and
position
this
in
such
a
way
that
it
fulfills
those
needs
that
it
can
grow.
D
So
a
potential
vision
for
us
to
look
towards
is
that
we
want
sixteen
to
be
the
trusted
standard
for
signing
and
verifying
software.
That's
the
kind
of
thing
to
aim
for,
if
you
like,
and
the
way
we
get
there
is
through
sort
of
sixth
or
being
a
trustworthy
institution
providing
responsible
services
that
improve
supply
chain
security
for
everyone.
So
this
sentiment
here
on
this
screen
is
like
this
is
reflecting
back
from
people
what
they
wanted,
what
they
asked
for.
You
know
what
they
what
they
need
from
stuff
like
this.
D
D
Why
might
people
value
sig
store,
so
what
people
looking
for?
Actually
in
a
product?
Well,
for
instance,
you
know,
is-
has
proven
that
it
can
make
supply
chain
safer.
You
know
if,
if
you
can
do
that
for
me,
if
you
can
prove
that
you
can
make
supply
chains
safer,
then
I'm
very
likely
to
value
syncsort
and
therefore
to
use
it
sig
store
as
production
grade.
D
Another
thing
that
came
up
for
us
quite
a
few
times
so
proving
that
six
doors
production
grade
is
ready
to
roll
out
tomorrow
and
you
can
use
it
at
scale
on
anything.
You
want
open
source
easy
to
integrate
with.
These
are
the
kind
of
things
that
people
are
looking
for
and
again
six
doors,
trustworthy
institution,
so
diving
down
a
little
bit
more
into
kind
of
how
sigstor
can
make
new
things
come
to
pass.
D
We're
going
to
really
quickly
talk
about
strategic
pillars,
so
in
other
words,
these
are
things
that,
if
you
use
these
concepts
as
checks
and
balances
for
the
new
things
that
you
create
or
the
ways
that
you
describe
six
store.
If
you
check
and
balance
against
these
things,
you
are
more
likely
to
kind
of
be
going
in
a
direction
that
other
people
are
responsive
to.
So
we
think
salesforce
should
try
to
achieve
understanding,
so
that
means
a
low
barrier
to
entry.
D
That
means
cultivating
social
proof
so
showing
that
it
works
and
showing
that
it's
safe
and
that
it
has
impact.
We
think
systems
try
to
achieve
use
the
ability
so
that
it's
convenient,
that
it's
compatible
with
the
barrier
to
entry
is
really
low
for
lots
of
different
types
of
people,
not
just
security
specialists.
D
This
can
take
some
years,
so
we
need
to
support
the
project
and
have
all
of
the
kind
of
the
organizational
tools
in
place
to
be
able
to
for
it
to
live
for
that
length
of
time,
we're
talking
about
years,
not
months
to
retain
its
independence
and
make
sure
that
it's
something
that
people
can
recognize
as
a
an
open
source
tool
and
make
sure
that
it's
extensible
so
that
it
can
be
built
upon
and
it
can
be
integrated
with
other
stuff
as
well.
So
those
are
our
strategic
pillars.
E
Hi,
I'm
peter
dad.
Can
you
go
to
the
next
slide?
Of
course,
I'm
just
going
to
talk
quickly
through
some
bits
of
a
potential
roadmap.
I
say
potential
because
delivery
projects
and
delivery
teams
and
people
delivering
work
often
discover
things
that
strategies
never
even
thought
of,
because
the
real
world
changes,
which
is
wonderful.
E
So
we
broke
down
this
potential
roadmap
into
three
key
phrases,
we'll
call
now
near
and
next
and
now
it's
just
some
immediate
goals
of
setting
the
foundations
for
escape
and
the
bits
we
focus
on
in
the
roadmap
are
the
things
that
complement
the
work
that
the
community
is
naturally
doing.
So
things
like
starting
to
become
a
trust
but
increasing
the
trustworthiness
of
six
dog
through
a
key
signing
ceremony
which
is
carried
out
on
the
web
and
using
a
bits
of
trust,
etc,
etc.
Is
part
of
that,
but
there's
other
things
that
we
need.
E
There's
some
impactful
communication
for
specific
audiences,
so
outside
the
immediate
community
on
to
other
actors
like
a
policy,
audiences,
large
organizations,
commercial
security
tools,
developers
having
a
clear
vision
in
charter
which
was
developed
with
the
community,
so
something
everyone
can
believe
and
get
behind
use
to
guide
decisions,
a
threat
model
which
would
guide
lots
of
activity,
and
we
think,
would
help
other
people
understand
start
to
help
them
understand
how
and
where
to
implement
six
stores
capabilities
alongside
the
rest
of
their
security
framework
and
also
guide
things
like
the
creation
of
monitors.
E
Some
of
the
things
in
there
would
be
things
like
creating
a
new
website,
obviously
we're
doing
a
mock-up
of
those
things.
It's
nice
to
see
these
things
and
see
what
they
might
like.
It's
a
new
low-fi
concept
though-
and
there
is
next
slide
and
then
near
so
about
12
months.
We
reckon
the
near
bit
would
be
12
month,
goals
so
maturing
the
offering
so
enhancing
the
current
product.
E
So
building
some
of
the
service
wrappers
around
around
the
product,
building
a
broader
network,
not
just
the
community,
but
the
network
around
the
community
of
influencers
of
funders.
Of
I
say
commercial
security
tools,
intelligence
agencies-
this
is
going
to
be.
This
is
critical
infrastructure.
We
need
to
make
sure
it's
going
to
be
robust
and
critical
for
the
long
term.
E
Then,
if
you
look
at
the
next
slide
and
building
that
trustworthy
organization,
so
some
things
we
could
see
in
here,
for
example,
was
around
in
helping
to
build
that
network
and
mature
the
product.
Things
like
guidelines
for
trust
indicators.
So
we've
done
a
little
mock-up
there
of
a
security
tool
being
used
within
an
organization
which
implements
us
security
policy
and
uses
that
to
guide
the
checks
on
six
store
for
a
particular
artifact
as
a
developer,
who's
trying
to
incorporate
it
in
a
product.
E
In
this
case,
they've
been
told
it's
not
on
their
trusted
list
or
the
signature.
Signature
is
not
on
their
trusted
list,
but
they
can
proceed
because
this
is
a
low
risk
project
and
that's
how
the
security
settings
have
been
set
up.
There'll
be
a
lot
of
different
guidance
around
trust
indicators.
We
can
see,
as
we
look
at
those
things
that
can
be
developed
and
could
be
built
out
through
a
community
like
this.
E
Our
vets
and
network
growing
the
organization
so
starting
to
set
down
some
legal
basis
for
the
organization,
more
governance
charters
around
the
community
in
the
open
source
areas,
sustainable
funding,
things
like
that
and
the
next
one
and
then
driving
scale.
So
as
we
get
maturity,
that's
a
great
point
where
we
can.
Actually,
you
know
strongly
drive
the
scale
of
the
sig
store
and
get
the
increased
adoption
of
that.
Creating
that
flywheel,
effective
things
going
on
so
both
through
large
implementations.
E
E
They
don't
get
left
behind
by
such
a
big
change,
and
so
we
continue
that
a
very
competitive
market
for
open
source
software
and
again
just
a
little
mock-up
there,
showing,
for
example,
of
that
time,
where
github
sees
that
sufficient
pressure
from
which
users
and
from
the
markets
that
it
might
have
an
integration
with
six
store.
So
if
you're
looking
at
some
code
in
the
repo
you
get
a
provenance
check
on
that
code,
alongside
all
of
these
the
I
think
that
was
the
last
of
my
slice.
E
F
Thanks
peter,
so
I'm
simon,
the
final
section
that
we're
presenting
for
you
guys
today
is
about
success
indicators
so
overall
question
given
you're
implementing
all
of
these
changes
and
move
forward
in
the
future.
How
do
you
know
you're
moving
in
the
right
direction
and
we've
suggested
two
sort
of
large
buckets
of
metrics
and
success
indicators?
The
first
one
is,
you
know
tangible,
quantifiable,
metrics,
so
dev.
If
you
could
go,
thank
you
and
they
fall
under
sort
of
four
major
categories
right.
F
So
the
first
one
is
six
store
activity
itself,
really
to
evaluate
how
quickly
and
rapidly
sig
stores
being
adopted-
and
this
goes
beyond
just
numbers
of
signatures,
for
example,
and
what
we
really
wanted
to
do
was
create
these
metrics
that
also
align
with
the
pillars
of
success.
F
So
you're,
looking
at
things
like
numbers
of
contributors
and
watchers,
where
they're,
geographically
and
sort
of
sectorally
distributed,
and
how
many
independent
monitors
are
currently
watching
the
logs
and
moderating
that
the
the
third
one
is
really
about
sort
of
broadcast
and
how
it's
being
adopted
as
a
new
standard.
F
So,
on
one
hand,
that's
how
often
the
sig
store
being
mentioned
in
sort
of
press
and
news
articles
and
where,
but
also
you
know,
how
often
is
it
being
mentioned
in
governmental
supply,
chain,
security,
guidance
in
private
organizations,
policy
documents
to
show
the
uptick,
and
so
the
last
one,
which
is
almost
like
a
a
holy
grail
of
this,
which,
to
be
honest,
we
weren't
able
to
find
very
many
sort
of
robust
indicators
of
what
this
might
be.
F
Is
the
quantifying
the
direct
impact
of
sigstor
on
supply
chain
security
and
who
is
benefiting
from
that,
and
one
of
the
recommendations
we
make
is
that
it
may
behoove
sigstor
to
sponsor
whether
through
sort
of
putting
people
on
it
through
resources
or
even
partnerships
with
people
who
have
a
stake
in
this
into
how
this
impact
could
be
measured
and
the
second
type
of
metric
is
a
little
different.
F
These
are
things
that
were
something
we're
calling
hallmark
events,
so
you
can
think
of
hallmark
events
as
sort
of
like
news
stories
of
these
sort
of
larger
objectives.
They
are
the
the
gets,
get
get
the
united
states
to
the
moon
of
the
space
race
right
and
these.
F
These
kind
of
moon
shots
specifically
purposely
named,
are
really
specific
investments
of
time
and
resources
that
are
both
indicative
of
success
and
a
way
to
galvanize
efforts,
the
community
and
even
sort
of
potential
funders
in
the
future
so
and
they
can
break
down
in
products.
So
you
can
see
as
enhance
the
product
you
can
see.
One
major
one
being
six
store.
F
Tooling,
is
integrated
into
git
actions,
for
example,
or
if
you're
building
out
the
organization,
so
you
can
see
a
big
hallmark
being
six
door
as
an
independent
organization,
hires
its
first
employee
or
google,
and
linux
are
no
longer
make
up
the
majority
of
funding,
support
or
sort
of.
If
you
want,
a
real
moonshot
signing
through
sigstor
is
integrated
into
governmental
procurement
requirements
around
the
globe.
F
We
originally
thought
of
mocking
up
an
illustration
of
sort
of
the
us
president,
whether
it's
biden
or
some
other
sort
of
guess
of
who
that
might
be
like
slamming
their
fist
on
the
table
and
shouting,
but
damn
it.
If
I
don't
sign
this
with
sigstor,
how
will
the
american
people
know
it's
from
me?
F
You
know
that
is
maybe
maybe
it's
too
far-fetched,
but
maybe
not
I
mean
you
can
realistically
see
a
situation
in
sort
of
the
distant
future
where
official
releases
from
institutions
where
you
want
some
kind
of
official
release
is
backed
by
a
transparent,
blog,
exactly
sort
of
tweets,
potentially
from
sort
of
certified
accounts,
maybe
you're
signed
by
six
door,
and
so
that
kind
of
verification,
mentality
and
thinking
that
far
ahead
really
are
sort
of
is
sort
of
a
fun
but
actually
effective
way
to
galvanize
efforts
within
the
community
and
the
project
itself,
because
what
we're
really
building
for
in
this
is
that
sig
store
to
repeat
it
again.
F
What
we
said
in
the
future
is
a
globally
adopted,
signing
and
verification
standards.
So,
thank
you
so
much.
That
was
a
very
super
fast
fly
through
of
our
work.
There
is
a
another
document
with
substantially
more
weight
where
we
go
in
much
more
detail
into
a
lot
of
recommendations
we
share
with
you
today.
We
will,
of
course
post
it
in
the
sort
of
slack
channel
and
if
you
have
any
questions
specifically
for
us,
you
can
either
I
mean
we're
all
in
the
slack
channel.
F
So
you
can
either
ping
us
directly
there
or
you
can
email
us
or
projects
by
if
at
hello,
at
projects
by
if
and
we'll
respond
to
you
there
as
well.
F
Thanks
so
much
that
is,
that
is
it
from
us.
A
A
I
noticed
we've
got
a
few
things
if
not
I'll
chop,
on
quickly,
awesome,
okay,
so
I'm
going
to
go
relatively
quickly
through
the
project
roundup,
because
I've
noticed
a
couple
of
demos
appeared.
Okay,
so
recall,
0.2.0!
Sorry,
let
me
share
the
community
meter
notes,
so
0.2.0
will
be
shipping
very
soon.
Okay,
I
just
need
to
clean
up
documentation
a
bit
and
just
work
on
how
we're
going
to
do
some
dog
food
signing
for
that
probably
we'll.
A
Do
it
get
a
few
of
us
to
sign
that
off
and
put
a
t
log
entry
up
for
now
and
then
we
can
always
render
that
better
in
the
future,
so
yeah
that
will
be
happening.
I
expect
this
week,
0.2.0
we'll
be
out
0.1.0
release
planning
for
full
seo
is
underway,
so
we're
going
to
hopefully
cut
our
first
release
of
full
seo
soon.
Okay,
cosine
so
done
any
project
stuff
before
azra
does
a
demo.
A
The
help
carlos
is
on
the
courtyard,
so
carlos
is
our
our
new
release,
manager,
who's,
just
getting
sort
of
bootstrapping
himself
into
into
our
release,
procedures,
which
we
don't
have
any
so
he's
here
to
give
us
some
help
out
there
cool,
okay,
so
azra
you're
on
the
call.
C
A
The
five
minute
should
be
fine,
I
guess
okay
great,
so
you
I'll
make
sure
I
keep
ten
minutes
for
you,
both
okay,
we're
looking
good
we're
we're
looking
good
for
time
right,
so
cosine
so
kitchen
sink,
which
is
what
we
call
six
or
six
store,
there's
nothing
really
notable
there.
I
do
need
to
work
on
the
verification
bit
more
and
if
anybody's
interested
in
discussing
that,
I'm
certainly
happy
to
to
show
you
what
I
have
and
we
can
collaborate.
A
I
know
there's
some
refactoring
as
well
around
the
signing
implementation
and
some
discussion
between
bob
and
jake,
but
there's
nothing
really
substantial
there,
ruby
plug-in
again.
I
cannot.
You
know
this
is
another
one.
That's
waiting
for
me
to
get
my
hands
out
my
pockets
and
finish
that
I
do
plan
to
sort
of
change
of
approach
there
on
how
we're
doing
that
so,
but
nothing
to
really
update
you
about
for
this
week.
Maven.
I
guess,
there's
no
updates
there.
Bob.
C
A
No
okay
crait
signing
esket,
so
I
have
actually
been
looking
into
the
crates
code
looking
at
their
script
and
how
they
pull
down
the
various
nightly
releases
and
so
forth,
and
looking
at
how
we
can
implement
there,
don't
really
have
anything
in
our
dockers
yet
but
I'll
start
to
sketch
something
out
soon.
A
Release
engineering
so
introduce
carlos
carlos.
You
want
to
say
anything
at
all.
B
B
I
just
have
one
update:
I'm
gonna
ping,
you
some
folks
in
the
channel
in
the
slack
channel
to
start
creating
the
release
documents,
process
for
record
full
circle,
sign
and
sig
start
itself
and
to
make
it
like
clear
the
process
how
to
to
make
the
release
and
all
the
stuff,
but
for
I
would
like
to
ask
like
for
if
we
are
planning
to
release
fusion
this
week,
I'd
like
to
be
together
to
learn
how
release
is
going
to
be
made
and
and
create
the
document
on
the
fly
sure.
A
Sounds
good
yeah
makes
sense.
Awesome.
Thank
you.
Thank
you.
Carlos
okay,
azra
wasn't
world
anything
interested
in
either.
G
G
We
have
some
more
feedback
that,
before
we
do
a
vote
on
whether
this
should
become
a
formal
wasm
proposal
that
we
need
some
more
support
from
the
community
and
some
more
drive
on
what
like
how
to
justify
that.
This
is
an
actual
feature
there.
So
I
guess
this
is
a
shout
out
for
support.
If
you,
if
you
know
anyone
who's
interested
or
if
you
yourself
are
interested
I'll
post
the
link
here,
they
want
to
see
some
more
support
and
discussion
on
this
issue.
A
Brilliant,
okay
and
I
can
see
somebody's
popped
in
red
hat
pie,
pie.
G
A
We
had
a
meeting
with
some
folks
from
the
python
foundation.
Well,
actually,
there
were
some
python
core
developers.
A
I
had
a
really
really
good
talk
with
them
about
signing
in
general,
okay,
so
extending
what
they
already
have,
so
they
already
have
a
pep
which
implements
tough,
so
they
implement
stuff
and
they
have
a
pet
to
look
at
how
to
extend
that
to
developers.
So
the
short
story
of
this
was
that
they're
going.
A
Around
this
okay,
so
we
can
actually
participate
in
this
working
group,
which
is
really
good,
so
we
can
really
start
to
get
some
traction
on
the
way
and
yeah.
This
was
a
call
that
some
other
folks
that
I
know
in
red
hat
were
quite
interested
in
kicking
this
off
as
well,
because
danceable
and
openstack
are
two
projects
that
utilize
that
infrastructure
a
lot
so
so
yeah.
There
was
a
really
good
call
there
trishank
you're
on
that
call.
Did
you
want
to
chip
in
two
cents
at
all.
C
Yeah,
no,
no,
it
was
a
good
call.
I
agree,
I
think
I
think,
for
the
future
yeah
the
working
group,
and
they
have
two
things
in
particular,
with
how
to
use
a
six
store.
One
is
obviously
using
full
chair
right
to
to
distribute.
A
Awesome:
okay,
so
let's,
let's
jump
into
azra,
we'll
pass
the
wheel
over
to
you.
G
All
right,
let's
see,
if
I
can
I'm
gonna
present
my
terminal
here
so
just
what's
going
on
here-
is
that
I
it's
it's
kind
of
rudimentary
it
like
still
haven't
written
any
tests
and
the
code
is
kind
of
just
like.
Let's
get
something
done,
but
what
I
can
do
is
I
can
sign
collaboratively
and
I
have
not
done
the
verification
piece
yet,
but
I
can
sign
collaboratively
some
tough
metadata
on
a
registry
and
reference
images
as
targets
to
sign.
G
So
what
I
have
here
is
this
first
initialization
that
someone
can
run.
They
can
add
public
keys
for
the
two
routes.
Add
a
threshold
for
the
tar
for
the
roots,
add
some
target
public
keys
and
time
stem
public
keys
and
then,
for
the
sake
of
time,
you
don't
have
to
do
this
in
the
same
line,
but
I'm
I'm
assuming.
G
I
have
one
of
the
root
keys,
so
I'm
going
to
sign
with
one
of
the
private
keys
I'm
going
to
upload,
so
I'm
typing
my
password
and
what
you
see
here
is
verification
error.
I
don't
have
enough
signatures
because
my
threshold
is
two,
so
what
it
did
was
it
uploaded
to
a
staged,
well-known
dot
tuff,
so
it's
not
complete
yet
now
what
I
can
do
is
on
a
different.
G
You
know
I
I
could
be
like
now,
I'm
wearing
a
different
hat,
I'm
like
hat
alice
or
something
and
I'm
also
gonna,
go
in,
and
I
have
the
other
public
key
as
like
a
separate
maintainer
and
I'm
going
to
sign
the
route
as
well
here.
So
this
could
happen
like
not
on
the
same
computer
and
what
you
can
see
here
is
now
my
route
is
signed.
But
now
I
have
a
verification
error
on
targets
because
I
have
not
signed
my
targets
yet
I
haven't
even
added
any
targets.
G
I'll
show
you
the
metadata
that
ends
just
for
the
sake
of
time,
but
what
I
can
do
to
add
a
target
is
sign
in
snapshot,
so
I'll
do
a
sign
in
snapshot,
give
it
a
target
and
give
it
the
target
key
for
simplicity.
I
don't
have
a
separate
snapshot.
Key,
that's
something
we
can
do
later,
but
I
figure
for
simplicity.
G
We
can
have
a
simplified
version.
So
now
I've
signed
the
targets
and
snapshotted,
but
my
metadata
verification
still
failed
and,
as
you
notice,
I'm
still
doing
uploading
to
stage
so
that's
what's
happening,
I'm
iterating
on
this
stage
thing,
but
I
have
insufficient
signatures
for
my
timestamps.
So
what
I'm
still
missing
here
is
to
do
like
a
heartbeat
timestamp
that
will,
you
know,
say
like
what
are
the
current
versions.
G
So
what
I'll
do
here
is
run
the
timestamp
command
with
my
timestamp
key
again,
this
could
happen
on
someone
else's
can,
like
you
know,
someone
else's
a
thing,
and
this
could
also
be
a
kms.
It's
pretty
much
whatever
cosine
supports
this
thing
would
support
so
now,
we'll
run
the
time
stamp
command,
sign
that
and
then
what
you
should
see.
Yay
metadata
was
verified
so
now
what
we
have
here
is
that
everything
is
sound
for
now
and
has
been
uploaded
to
well
known,
not
staged
anymore.
G
So
now
what
I
can
do
is,
let
me
go
show
you
what
we
just
did,
pull
this
and
show
you
the
json.
G
Now
what
we
have
here
is
there's
there's
some
like
a
penis
on
version
numbers
that
I'm
like
still
working
through
right
now,
but
at
the
very
top
you
can
see
my
root
metadata
with
two
signatures,
because
my
threshold
was
two.
I
have
a
sorry.
This
is
so
hard
to
read.
I
have
all
the
root
metadata
with
two
keys
that
I
trust
one
for
each
of
the
rest
of
the
rules.
I
have
a
snapshot
here.
G
That
is,
you
know,
enforcing
my
root
and
targets
version-
and
I
have
my
target
here,
which
is
this
image
over
here
with
this
straw,
so
everything's
been
signed,
this
time
stamp
has
been
signed
and
that's
the
current
demo.
A
Cool
a
quick
question
answer,
so
I've
been
looking
at
doing
something
similar
but
with
keyless,
so
oidc
emails.
So
have
you
thought
about
doing
that
or
if
you,
when
you
have
thought
about
it,
if
you
thought
of
possible
snags
or
hitches
that
we
might
need
to
work
around
or
well.
C
G
Yeah
I've
thought
about
that.
As,
like
you
know,
how
will
this
work
will
we
be
like?
I
it's
definitely
buildable
on
top
of
this
infrastructure,
what
I
think,
what
would
need
to
be
done
is
that
you
see
how
like
over
here
my
root
metadata
is
specifying
the
keys
for
all
my
roles
or
all
the
keys
over
here.
There's
a
bunch
of
keys
in
here
like
with
the
public.
This
is
a
pcdsa,
so
this
is
like
the
marshalled
x
and
y
and
like
public
key
parameters.
G
So
this
is
a
certain
key
type
right.
So
what
I'm
thinking
is
we
can
change
that
key
type
to
become
an
oidc
key
type
and
the
public
information
that
it
includes
will
be
like
you
know
the
email
identifier,
and
then
we
can
attach
a
certificate
from
pulsio.
So
that
was
my
initial
thought
on
it.
I
don't
know
if
it's
a
correct
way
to
do
things,
but
that
seems
like
it
could
work.
A
A
I'm
just
thinking
of
how
we
sort
of
stack
all
this.
You
know
as
we
as
we
are
signing
targets
and
so
forth.
G
Yeah,
I
think
it's
do
like
everything,
the
verification
and
like
the
the
signing
is
all
like.
You
know
going
to
be
like
it's
currently
also
using
cosines
signer
type,
so
I
think
it's
very
easily
swappable
out
as
long.
F
A
I've
spoken
to
dan
about
this
a
few
times.
Can
we
get
this
working
outside
of
a
registry
content?
Okay,
so
I
mean
registries
are
the
preferred
medium,
but
then,
if
somebody
has
a
repo
or
an
ec2
bucket-
or
you
know
something
some.
B
G
C
C
Yeah
just
to
jump
back
a
second,
I
think
there
is
one
problem
we
might
have
glossed
over
quickly
like
this
doesn't
have
to
go
on
a
container
registry,
but
I
think
it
does
have
to
go
next
to
where
the
artifacts
are.
That's.
A
A
I
see
yeah,
so
you
need
that
you
need
that
leather
box
to
put
the
signature
to
attach
yeah
yeah
very
much
yeah
yeah,
because
they
do
have
that
extra.
There
is
some
sort
of
slot
that
we
can
utilize,
isn't
there
in
the
python
index,
so
yeah
cool,
okay,
that's
brilliant!
Thanks,
ezra,
okay
trip
hack!
You
have
a
demo
as
well.
Do
you
want
to?
You
should
be
able
to
share
and
yeah.
A
H
C
H
H
Can
you
see
the
screen?
I
think
it
should
be
yeah,
okay,
yeah.
So
it's
a
simple
demo
where
I
have
one
repository
with
my
application
code
and
the
idea
here
is
to
see
how
we
can
use
cosine
verification
in
the
devsicops
right
when
our
existing
devs
across
pipeline
they
find
out
if
there
are
any
vulnerabilities
in
the
code.
If
there
are
any
license
issues
in
this
one,
we
are
trying
to
basically
extend
it
to
see
how
we
can
verify
the
dependencies
that
are
in
your
code
right.
So
this
is
my
application.
H
This
is
a
docker
file.
I
have
some
base
images
that
I'm
using.
So
there
is
one
this
is
a
multi-stage
docker
file,
so
I'm
using
one
stage
to
build
the
image
and
another
stage
to
basically
deploy
this
application
right
and
in
this
one
we
are
basically
adding
this
verification
of
this
base
image
in
the
pipeline.
So
this
particular
repository
is
is
hooked
to
this
tecton
pipeline.
H
So
anytime
we
create
a
pull
request
or
create
any
change.
It
will
trigger
that
pipeline
right
and
this
pipeline
is
basically
I
have
push
it
on
the
I'll
share
this
link.
So
anyone
who
you
can
try
this
link
right,
so
it
has
basically
very
simple:
it's
a
simple
pipeline,
so
whenever
it
triggers
the
pipeline,
it
clones
the
repository,
it
does
a
kind
of
a
scanning
of
this
all
the
dependencies.
So
it
looks
in
the
docker
file.
H
What
images
you
are
using,
what
packages
you
are
bringing,
and
you
essentially
generate
a
software
block
material
right
once
we
have
that
material
it.
We
have.
This
cosine
verify
another
stage
which
identifies
the
base
images
at
the
moment.
Right
identify
what
all
the
base
images
that
you
are
using
and
then
verify
them
against
using
cosine.
If
there
are
if
these
base
images
are
signed
properly,
and
then
it
notifies
a
developer
in
the
form
of
commands
and
drive
the
status
of
this
pull
request
about
this
about
the
findings
right.
H
So
let
me
quickly
show
you
so
these
two
base
images
that
are
there,
these
both
are
signed
and
right
now,
I'm
I
basically
sign
them
a
priory
and
set
it
up.
But
if
I
basically
go
and
change
this,
let's
say
I
put
it
115
right
as
a
developer.
I
don't
have
knowledge
whether
that
particular
image
is
signed
or
not
right,
I'm
just
creating
a
change
request
and
when
I
create
this
change
request.
H
This
essentially
will
trigger
the
pipeline,
where
we
are
showing
all
this,
the
analytic,
the
layout
that
I
just
described,
it
is
doing
the
clone
and
scan
and
everything
in
the
interest
of
time.
I
can
just
show
you
the
previous
pull
request
that
I
ran
right
so
once
the
pull
request,
essentially
that
pipeline
finishes,
it
does
gives
the
feedback
to
the
developer
that
we
verified.
We
ran
some
verification
and
in
this
particular
docker
file,
you
are
using
this
base
image,
which
is
not
properly
signed
right.
H
The
other
base
image
is
assigned
and
if,
as
a
developer,
I
can
basically
go
ahead
and
fix
that
my
basically
dependencies-
and
I
should
basically
get
you-
know
the
notification
that
all
my
base-
images
that
I'm
using
in
in
for
building
my
application,
their
site,
and
it
also
basically
drives
the
gate.
So
you
can
block
the
pull
request
if
your
dependencies
are
not
signed
properly
and
again.
This
is
the
first
step,
the
idea,
essentially
to
come
up
to
recommend
developer
right
instead
of
right
now
we
are
just
telling
them
the
problem
that
okay,
you.
H
This
is
the
image
that
has
not
been
signed,
but
can
we
recommend
developer
that
this?
You
should
instead
use
this
particular
image
which
is
signed,
and
the
second
is
it
can
go
to
the
package
level.
Also
right,
we
can
right
now
it
is
doing
it
at
the
image
level,
but
in
the
bomb.
We
all
will
also
have
these
packages
like
if
you
are
installing
python
or
node.
So
we
can
also
verify
the
once.
We
have
this
infrastructure
where
all
the
packages
are
getting
signed.
A
H
Oh
right
so
in
this
particular
one
in
this
pipeline.
A
H
H
H
Pipeline-
and
I
have
basically
mounted
this
because
it
basically
needs
this
public
key
to
be
mounted
as
a
secret
right,
okay
and
then
in
the
cosine
verify
task.
We
basically
take
the
image
we
identify
what
base
images
we
are
using,
and
then
we
call
cosine
verify
on
those
base
images.
I
see
basically
check
if
those
images
are
signed
or
not
if
they
are
signed.
We
capture
that
a
result,
and
then
then
these
this
is
basically
just
a
reporting
that,
whatever
findings
we
get.
H
H
Yes,
so
that
would
be
for
building
the
images
right.
It's
part
of
like
when
you're
building
we
automatically.
H
Right
yeah
in
this
one,
I'm
basically
not
signing,
I'm
just
verifying
but
yeah.
You
are
right.
I
think
we
can
use
chain
and
we
can.
A
H
Yeah
I
mean
it's
I'm
basically,
I
need
that
feedback
from
you
upstream
from
this
right.
So
yes,
this
particular
pipeline
is
I'll
share
the
link
on
the
slack
it's
there.
I
think
we
can
try:
okay,
yeah
and
yeah.
I
think
yeah
yeah.
A
Drop
drop,
the
link
into
the
community
minutes
as
well
yeah
sure
I'll
do
that.
H
A
Right
sure,
yeah,
so
unattended
signing
good
point
yeah.
So
there's
several
things
there
there's.
This
is
some
work
that
dan's
been
doing
with
spiffy
and
spire,
where
there's
a
machine
identity
attestation
that
leverages
spiffy,
spire
and
there's
also
device
flow
as
well,
which
is
a
which
is
another
sort
of
similar
unintended
system.
But
I'd
say
the
the
spire
one's
definitely
more
exciting
because
you
can
federate
across
different
grounds
and
stuff
like
that.
So.
C
Yes,
so
there's
like
two
ways
like
luke
was
saying:
we
have
one
way:
that's
supported
now
it
only
works
on
gcp,
but
we
cannot
support
for
other
cloud
providers
if
they
expose
like
short-term
oidc
credentials.
H
E
C
Would
be
tied
to
like
the
virtual
machine
or
whatever
you're
running
on
on
google
cloud
platform.
I
think
azure
and
amazon
have
equivalents.
I
just
don't
know
enough
to
try
it
out
and
then
spiffy
spire
work
kind
of
in
a
cross
world
federated
manner
which
we're
still
working
on
now.
Okay,
okay,
thank
you.
Yeah
thanks.
C
A
Some
git
signing
stuff
that
it
might
be
useful
to
you
look
to
look
at
that
dan
and
mark
worked
on
as
well.
H
Basically,
the
idea
is
actually
we
need
to
ensure
the
supply
chain
secure
everything
in
the
issue,
all
these
like,
once
we
have
the
packages
signing
and
everything
we
want
to
do
this
verification,
but
the
I
think.
A
H
Value
comes
if,
instead
of
just
telling
the
user
that
you
have
problem,
if
you
can
recommend
them
the
one
which
is
signed
and
which
is
proper
right,
which
is
a
slightly
harder
problem,
how
we
come
up
with
that
recommendation
so,
but
I
think
that
will
be
useful
sure.
A
Okay,
so
let
me
just
glance
back
at
the
agenda,
so
I
think
we've
got
through
everything.
A
A
You
know
just
say
what
your
interest
is
in
the
project.
Then
we
can
think
about
how
we
can
support.
B
A
No
okay,
great
so
remember
the
18th
put
that
in
your
diary
for
the
the
six
store
signing
party,
it's
going
to
be
live,
streamed,
okay
and
and
then
expect
to
see
lots
of
the
fork
number
increment
upwards,
as
people
fork
the
sign
in
repository
and
yeah,
and
I
will
see
you
all
in
slack
and
next
week,
all
the
best.
Thank
you.