Sigstore / Sigstore Community Talks

Securing Kubernetes Manifests with Sigstore Cosign, What Are Your Options? - Mathieu Benoit, Google

In this talk, we will explore the options to verify with Sigstore Cosign the provenance of Kubernetes manifests before actually being applied in your cluster. Attendees will learn how Sigstore Cosign integrates with Kubernetes to provide secure solutions for signing and verifying container images and resource manifests, configuration files, and other critical components, bundled as generic OCI images. We will also touch upon the use of GitOps tools like FluxCD and policy engines like Kyverno and Gatekeeper in combination with Sigstore Cosign to enforce security policies and prevent unwanted changes in your cluster. Whether you are a seasoned Kubernetes user or just starting out, this talk will provide valuable insights and tips about your options for verifying in Kubernetes your Kubernetes manifests signed by Sigstore Cosign.

Bringing Provenance to All of Open Source: Lessons from Npm’s Sigstore Integration - Trevor Rosen & Zach Steindler, GitHub / npm

npm is the largest package registry on the internet, serving over 70 billion packages per month and acting as the de facto standard package system for Javascript, the world’s largest OSS ecosystem by lines of code. It suffers from the basic problem all registries have: there’s no verifiable link from a package back to its source code and build process. To solve this problem, npm is integrating with Sigstore’s open source libraries and public good servers, to securely communicate npm package provenance from your build system to the registry and make it available for verification with npm CLI. During this work, a bunch of interesting questions came up: What does it mean for a build process to be secure? Can we trust packages without verifying every developer’s identity? Does our approach work for other package ecosystems? This talk will take you inside arguably the most ambitious and impactful effort happening in software supply chain security today and offer some fundamental (and maybe controversial!) opinions about what’s needed for package provenance across all of open source.

Getting Involved in Sigstore Research Projects - Hayden Blauzvern, Google

Sigstore, an open-source project that provides easy-to-use tooling to simplify signing and verification, is fast-moving and leans into experimentation and research to improve the security and privacy of the project. Sigstore is the perfect-sized project to try out new research techniques, as it has real-world usage but still aims to be agile. In this lightning talk, we will discuss where we'd like to see research applied, to provide privacy-conscious transparency, stronger assurances during verification, and distributed trust with timestamping. We'll end with a call to action for both industry practitioners and academic researchers to contribute to Sigstore.

with guests Lewis Denham-Parry & Zack Newman

How do you know that the software you're running on your laptop or in production is actually the software you think you're running? Attackers may try to modify source code or compiled binaries/containers as they move about the internet and your network. We can check the authenticity of software and other digital artifacts with digital signatures. But, in practice, almost nobody does! Today, we'll see why not, and what the Sigstore project is doing to fix that. We'll explore digital signatures, losing your Yubikey on the street, why the price of security for OSS projects should be zero, how you achieve more security by promising less, and why software signatures need "sunshine laws," all in the context of the Sigstore project and its constituent components Fulcio, Rekor, and Cosign. You'll learn how the OSS ecosystem is getting more secure every day and how you can apply the same tools and principles.

Don't miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe in Amsterdam, The Netherlands from 18 - 21 April, 2023. Learn more at https://kubecon.io The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.

Not All That’s Signed Is Secure: Verify the Right Way with TUF and Sigstore - Zachary Newman, Chainguard, Inc. & Marina Moore, New York University

It’s easy to think that because more developers are signing software, the consumers of that software are necessarily more secure. However, a signature is only useful if verified correctly. One common failure mode is to verify that some software was signed, but not check who signed it. This means that you’ll treat a signature from evil@hacker.com the same as a signature from yourself! We want to check that software came from the right person, but how do we know who that is? In this talk, Marina Moore and Zachary Newman will show how you can answer that question, securely. First, use Sigstore to make signing easy. Then, use CNCF projects The Update Framework (TUF) and in-toto to concretely improve security of open source package repositories, internal container registries, and everything in between. Cut through the hype and see how to sign software in order to increase security. Learn what signing can do—and what it can’t. With this knowledge, you can design appropriate verification policies for your project or organization. You’ll also learn how the open source software repositories you depend on are adopting these techniques to ensure that the code you download comes from the authors you expect.

Don't miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe in Amsterdam, The Netherlands from 18 - 21 April, 2023. Learn more at https://kubecon.io The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.

So You Want to Run Your Own Sigstore: Recommendations for a Secure Setup - Hayden Blauzvern, Google

Sigstore, an open-source standard for signing and verifying artifacts, provides free-to-use services that provide identity-based certificates and auditable signatures through a transparency log. These services work well for FOSS, giving maintainers the tooling needed to create signed builds. However, enterprise organizations may have additional needs that are not addressed by the public instances. This could include availability requirements such as regionalization, data residency requirements, privacy concerns with a public log, or requiring policy controls for admitting entries into a log. This talk will discuss motivations for operating private Sigstore services and expectations on the operators. The talk will discuss differences in the threat modeling between public and private instances. Finally, the talk will cover the requirements for operating private instances, including operating a root trust store and the necessary security properties of a private certificate authority and transparency log.

Sigstore: Using Transparent Digital Signatures to Help Secure the Software Supply Chain - Bob Callaway, Google

Luke Hinds, the founder of project sigstore will provide an introduction to the project and then outline how you can leverage sigstore to protect your kubernetes based workloads.

Curious about cloud-native supply chain security? Heard of sigstore but not sure what it means for you? Check out this video where I lay bare the technologies and how they work within Sigstore

Links
- https://www.sigstore.dev/
- https://github.com/sigstore/cosign

Timecodes:
0:00 Introduction
0:22 What is supply chain security anyways?
7:38 How does it work?
11:18 Demo of cosign

No description provided.

Don’t miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe 2023 in Amsterdam, The Netherlands from April 17-21. Learn more at https://kubecon.io​. The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.

Life of a Sigstore Signature - Jed Salazar & Zack Newman, Chainguard

Recently, Kubernetes SIG-release announced that the official Kubernetes container images have adopted Sigstore code signing to protect the supply chain of millions of downstream users. Sigstore, an open-source project aiming to be the LetsEncrypt of code signing, allows Kubernetes users to validate that their images came from the simple, free, and trusted official supply chain. But how does Sigstore actually work? What happens behind the scenes when I sign an image? Why should you even trust it? This talk follows the life of a Sigstore signature for your container image. On this journey, you’ll encounter keyless code signing, certificate authorities, and transparency logs. You’ll also configure an admission controller to create a signing security policy for your clusters.Our request hits every Sigstore component and you’ll stop to learn how they work, from the cryptographic and architectural levels, and discover how Sigstore mitigates supply chain attacks.

Don’t miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe 2023 in Amsterdam, The Netherlands from April 17-21. Learn more at https://kubecon.io​. The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.

Sigstore for Python Packaging: Next Steps for Adoption - William Woodruff, Trail of Bits

Sigstore is coming to the Python packaging ecosystem! For the past 9 months, engineers at Trail of Bits have worked with members and stakeholders within the Sigstore community to develop sigstore-python, a high-quality Python API and CLI for performing Sigstore-style signatures and verifications. Now comes the hard part: convincing members of Python's packaging ecosystem, among the largest and most critical, to adopt Sigstore into their package publishing and consumption workflows. This talk will perform a survey of Python packaging, and consider some of the ways in which Sigstore fits into the packaging user experience. Particular consideration will be given to two groups of packaging ecosystem users: "ordinary" users, who should benefit from baseline authenticity and integrity without having to substantially alter their workflows, and "proactive" users, who should be able to opt into *additional* security guarantees (such as verification against TUF-attested claims) both when packaging and consuming others' packages.

Did you ever use PGP to sign libraries published to Maven Central? Did you try to check PGP signatures when downloading dependencies, to make sure you are not affected by a Software Supply Chain issue?

Required PGP keys management is usually not the best experience developers have…

That’s why the sigstore project was introduced recently, promising easy keyless signatures. It started with Docker images signatures, but a lot of effort is put to extend its usage to every package registry, including Maven Central.

Let’s see how sigstore works and how it is expected to improve not only the signing experience, but also the verification process of artifacts at Maven Central.

HERVÉ BOUTEMY
Maven Committer since 2007 and PMC member, Apache Software Foundation member since 2011.

I worked on each and every parts of Maven code too improve user experience.

Would you make a sandwich with lettuce or tomatoes you picked up off the street? For most people, we hope, the answer is "no". We like to know that our ingredients are clean, who produced them and if they're safe to eat. Today many of us build software with 3rd party packages but there either isn't enough metadata or we're all too lazy to determine if they're truly safe to use. We risk accidentally shipping broken, vulnerable or dangerous software through compromised credentials, dependency confusion attacks or any of the many other techniques malicious actors have at their disposal.

Sigstore, an OpenSSF project to make cryptographic signing of artifacts easy to do and to verify, is a core part of solving the dependency trust problem. In this talk, by two of the sigstore-java maintainers, we will be introducing you to the Sigstore project and it's use with Maven Central. We’ll show how you, as a producer or consumer of Maven Central artifacts, can use Sigstore to sign and verify your artifacts and protect yourself and your users from malicious software supply chain attacks.

APPU GOUNDAN
Appu is a Software Engineer on the Google Open Source Security Team (GOSST) with a focus on securing the open source software supply chain. He has no actual ghost busting abilities, but has a decade of experience in Java developer tooling.

PATRICK FLYNN
Patrick Flynn works on software supply chain security for Chainguard. Prior to Chainguard Patrick led worked at Google where he was the TL of notable products like reCAPTCHA, Cloud Code, as well as leading the Google Cloud's Java Tools team that built Jib (the Java container image builder).

If we want to be certain that what we're running is what we built, we might need to sign container (Docker) images, as well as other types of artifacts. That's where Cosign jump in. Sigstore Cosign makes signatures invisible, especially if we combine it with Kyverno or other Kubernetes admission controller solutions.

#cosign #sigstore #kubernetes

Consider joining the channel: https://www.youtube.com/c/devopstoolkit/join

▬▬▬▬▬▬ 🔗 Additional Info 🔗 ▬▬▬▬▬▬
➡ Gist with the commands: https://gist.github.com/d1bd7ab00d2288c663e436cd513efe85
🔗 Sigstore (Cosign): https://sigstore.dev
🎬 Kubernetes-Native Policy Management With Kyverno: https://youtu.be/DREjzfTzNpA
🎬 How To Replace Docker With nerdctl And Rancher Desktop: https://youtu.be/evWPib0iNgY
🎬 Bitnami Sealed Secrets - How To Store Kubernetes Secrets In Git Repositories: https://youtu.be/xd2QoV6GJlc

▬▬▬▬▬▬ 💰 Sponsoships 💰 ▬▬▬▬▬▬
If you are interested in sponsoring this channel, please use https://calendly.com/vfarcic/meet to book a timeslot that suits you, and we'll go over the details. Or feel free to contact me over Twitter or LinkedIn (see below).

▬▬▬▬▬▬ 👋 Contact me 👋 ▬▬▬▬▬▬
➡ Twitter: https://twitter.com/vfarcic
➡ LinkedIn: https://www.linkedin.com/in/viktorfarcic/

▬▬▬▬▬▬ 🚀 Courses, books, and podcasts 🚀 ▬▬▬▬▬▬
📚 Books and courses: https://www.devopstoolkitseries.com
🎤 Podcast: https://www.devopsparadox.com/
💬 Live streams: https://www.youtube.com/c/DevOpsParadox

▬▬▬▬▬▬ ⏱ Timecodes ⏱ ▬▬▬▬▬▬
00:00 Introduction To Sigstore Cosign
03:38 Client-Side Container Image Validation With Cosign
06:22 Enforce Usage Of Signed Container Images With Kyverno
09:47 Sign Container Images With Sigstore Cosign
11:51 It's Not Only About Container Images

OpenSSF Day at Open Source Summit North America - Demystifying Digital Signatures - Priya Wadhwa, Chainguard, Inc

Speaker: Bob Callaway

Sigstore (sigstore.dev) is a collection of young, rapidly growing open source projects in the secure software supply chain space that combine transparency logs, digital identity & attestation technologies, and policy artifacts to enhance the security of software artifacts through the entire development/deployment lifecycle. This talk will include an overview of the projects that make up sigstore, brief demos showing how the different projects interoperate, a survey of current adopters, as well as a review the of project roadmaps for further integration and adoption in the OSS landscape.

Sched: https://sched.co/siFP

Zero-Trust Supply Chain Security with Sigstore, TektonCD and SPIFFE - Dan Lorenc, Google

►►►Connect with me ►►►
► Discord: https://discord.gg/q97CAcq5
► Twitch: https://www.twitch.tv/saiyampathak
► YouTube: https://youtube.com/c/saiyam911
► GitHub: https://github.com/saiyam1814
► LinkedIn: https://www.linkedin.com/in/saiyampathak/
► Website: https://saiyampathak.medium.com/
► Instagram: http://instagram.com/saiyampathak/
► https://twitter.com/saiyampathak

Don’t miss out! Join us at our next event: KubeCon + CloudNativeCon Europe 2022 in Valencia, Spain from May 17-20. Learn more at https://kubecon.io The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.

Cloud Native Supply Chain Security with Tekton and Sigstore - Priya Wadhwa & Christie Wilson, Google

If you build software on Kubernetes and want to learn more about how to do it in a secure way, then this talk is for you! In this talk, Christie Wilson and Priya Wadhwa will provide a hands on overview to creating a secure zero-trust supply chain on Kubernetes. We'll show you how to use tools like Tekton, Tekton Chains and sigstore together to protect your pipelines and generate provenance for your builds. We'll also cover how the audience can integrate these tools with other projects like In-Toto and SPIRE to securely build, sign and verify software components today.

Don’t miss out! Join us at our next event: KubeCon + CloudNativeCon Europe 2022 in Valencia, Spain from May 17-20. Learn more at https://kubecon.io The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.

Sigstore: How We Started, Where We Are, Where We are Headed - Bob Callaway, Red Hat & Dan Lorenc, Google

sigstore is a project under the Linux foundation to provide a non profit , public good software security cryptographic signing service. You can think of it like the 'Lets Encrypt' for software signing. If you have not heard of it yet, you certainly will soon. sigstore is used to protect kubernetes release container images and verify them directly in kubernetes release infrastructure. Many other communities are also in the process of looking at how they can implement sigstore (python, rubygems, wasm, maven). The sigstore community is made up of security experts from the communities such as TUF, Kubernetes, in-toto and engineers from Red Hat, Google, Smallstep, VMWare and many more.

Software Supply Chain Integrity with Sigstore - Marina Moore & Priya Wadhwa, Google

In this episode, Dan guides us through everything we need to get started with Project sigstore.


🍿 Rawkode Live

Hosted by David McKay / 🐦 https://twitter.com/rawkode
Website: https://rawkode.live
Discord Chat: https://rawkode.live/chat

#RawkodeLive

🕰 Timeline

00:00 - Holding screen
01:15 - Introductions
03:00 - What is Project sigstore?
11:30 - Signing & Verifying Container Images with cosign
34:00 - cosign: keyless mode
41:00 - Transparency Logs with rekor
55:00 - Using Kyverno for Signed Image Policies

👥 About the Guests

Dan Lorenc

OSS Supply Chain Security at Google!


🐦 https://twitter.com/lorenc_dan
🧩 https://github.com/dlorenc
🌏 https://www.danlorenc.com/


🔨 About the Technologies

sigstore

sigstore is a Linux Foundation project.
sigstore is a project with the goal of providing a public good / non-profit service to improve the open source software supply chain by easing the adoption of cryptographic software signing, backed by transparency log technologies.
sigstore will seek to empower software developers to securely sign software artifacts such as release files, container images, binaries, bill of material manifests and more. Signing materials are then stored into a tamper resistant public log
sigstore will be free to use for all developers and software providers, with sigstore’s code and operation tooling being 100% open source and maintained / developed by the sigstore community.

🌏 https://sigstore.dev
🐦 https://twitter.com/projectsigstore
🧩 https://github.com/sigstore

##SupplyChain

A Series of Lightning Talks from CNCF Project LeadsVirtual Experience

There’s considerable interest to leverage TEE capabilities from cloud-native projects, such as SPIFFE, Notary, Sigstore and Parsec, which each address separate concerns within the CNCF. In this talk, leaders from these projects will describe how they use hardware-based trust today to enhance cloud native workloads, and ways that we can improve security with new capabilities enabled by TEE’s in the future. This session will be moderated by Aeva Black.

Talks to be included:

sigstore, Software Signing for the Masses, presented by Luke Hinds: sigstore is a new project launched under the Linux Foundation to provide a free to use, non profit code signing service. Project founder Luke Hinds will provide an introduction to the project.

To learn more about the Confidential Computing Consortium, a community focused on projects securing data in use and accelerating the adoption of confidential computing through open collaboration see: https://confidentialcomputing.io/

Bob Callaway and Ivan Font of Red Hat will introduce a new project called 'sigstore' that was recently launched under the Linux Foundation. Sigstore aims to empower software developers to easily and securely sign software artifacts such as release files, container images, binaries, bill of material manifests and more. Signing materials are then stored into a tamper resistant public log. They'll show a demo of the system working on OpenShift to sign container images and integrated into a build pipeline with Tekton and Open Policy Agent.

sigstore developer Dan Lorenc provides a demo on the different signing methods available in cosign.