►
Description
with guests Lewis Denham-Parry & Zack Newman
How do you know that the software you're running on your laptop or in production is actually the software you think you're running? Attackers may try to modify source code or compiled binaries/containers as they move about the internet and your network. We can check the authenticity of software and other digital artifacts with digital signatures. But, in practice, almost nobody does! Today, we'll see why not, and what the Sigstore project is doing to fix that. We'll explore digital signatures, losing your Yubikey on the street, why the price of security for OSS projects should be zero, how you achieve more security by promising less, and why software signatures need "sunshine laws," all in the context of the Sigstore project and its constituent components Fulcio, Rekor, and Cosign. You'll learn how the OSS ecosystem is getting more secure every day and how you can apply the same tools and principles.
A
B
I'm
so
excited
to
be
here
thanks
for
having
me
I'm
a
research
scientist
at
chain
guard,
which
is
an
amazing
job
where
I
basically
get
to
think
really
really
hard
about.
Why
we
trust
the
software
that
we
run
on
our
computers.
I
mean
spoiler,
I
guess
the
answer
is
usually.
We
have
no
good
reason
to
talk
about
today
before
this
I
was
I
was
a
PhD
student
at
MIT
working
on
applied
cryptography
and
that's
how
I
kind
of
got
into
the
field?
B
A
C
Everyone
I'm
Lewis
I'm,
a
Solutions
architect
s
at
chain
guard,
so
today,
I'm
working
with
our
customers
on
enforce
and
images
a
bit
about
my
back
story:
I
was
a
developer.
I
was
terrified
of
security
for
quite
some
time
and
then
I
realized
that
actually
security
is
this
problem
that
we
get
to
solve
and
it's
just
constantly
changing.
So
it's
so
much
fun
and
yeah.
That's
where
I've
ended
up
here
today
and
it's
great
that
I
get
to
shave
a
company
with
Zach.
C
A
Amazing,
yes,
so
God
so
glad
to
have
you
here,
I
way
back
when
I
started,
which
I
guess
wasn't
that
long
ago,
like
a
year
and
a
half
ago,
I
used
to
host
a
show
called
tanzu
Tuesday
that
doesn't
exist
anymore,
but
Lewis
was
always
one
of
my
favorite
guests
and
I
mean
we've.
We've
we
became
friends
back
then
y'all
can
unmute
yourself,
I,
don't
know.
What's
going
on
in
the
background
of
your
each
of
your
houses,
I
guess
I,
don't
wanna
resume.
A
Yeah
I
trust
you
I
trust
you
except
I,
think
if
I
think
everybody
should
follow
Lewis
and
Zach
on
Twitter
right
now,
what's
going
on,
I
think
are
you?
Are
you
all
making
a
point
about
trust
right
now
that
why
would
he
even
trust
us
to
have
the
right?
Twitter
addresses
the
right
name,
the
right
anything
that
we're
supplying
for
you
right
now,
yeah.
C
A
A
B
I
would
say:
I
have
a
personality
where
I
don't
have
a
lot
of
other
options.
You
know
a
problem
to
chew
on,
and
the
answer
seems
simple.
The
first
place
my
brain
goes
is,
but
is
it,
though?
You
know
it's
all
all
about
just
kind
of
examining
the
assumptions
that
you're
working
with
which
I
think
in
computer
security
specifically
is
a
really
useful
skill.
So
many
security
problems
happen.
A
That
I
asked
you
a
question
about
how
you
get
into
deep
thought
and
somehow
you
turned
it
into
a
an
answer
about
assumptions
which
I
love,
I,
think
thinking
about
security.
From
a
point
of
view
of
what
assumptions
are
we
making
is
pretty?
Is
it
is
a
nice,
a
nice
approach
I
enjoy
that
very
much
Louis
I'm
excited
to
see
you
at
kubecon?
Are
you
speaking.
C
Not
this
yet
I
I
didn't.
Actually
it
was
the
first
time
in
a
while
I
haven't
submitted
cfp
and
but
equally
I
doubt
I
would
have
got
accepted
anyway.
This
year,
I've
had
some
good
luck
recently,
but
but
in
all
honesty,
I'm
super
excited
because
it's
I
I
think
there's
an
announcement.
This
week,
whereas
10
000
people
have
signed
up
to
go,
which.
C
Cool
and
but
it's
it's
kind
of
nice
in
a
way
because
whenever
I've
got
a
talk,
I'm
so
stressed
I'm
and
it's
I'm
updating
my
slice
constantly
and
it's
just
always
worrying
in
the
background.
But
this
year
I
get
to
go
across
and
I
get
to
enjoy
it
so
I'm
going
to
be
there
I'll
be
we've
got
a
booth
out
there.
So
if
anyone
wants
to
hang
out
and
come
and
chat,
then
I'll
definitely
be
there
and
yeah
I'm.
Looking
forward
to
some
talks
but
and.
A
A
B
A
Right,
oh,
that
was
impressive-
that
you've
held
on
to
that
knowledge
for
such
a
long
time
again
making
assumptions,
and
then
we
have
I
another.
If
we
have
time
at
the
end,
comment:
I'd
love
to
get
your
thoughts
on
Sam
Altman,
putting
the
onus
on
an
open,
API
issue,
I'm,
not
sure
what
any
of
that's
about,
but.
A
A
I
would
love
to
hear
from
Chad
about
like
what
is
your
experience
with
with
software
supply
chain
Security
in
general,
with
Sig
Source,
specifically
and
and
really
like.
Maybe
y'all
can
can
kind
of
give
me
some
context,
while
I'm
moving
about
like
why
I'm
hearing
so
much
Buzz
around
software
supply
chain
security
like
what.
Why
is
that
such
an
important
topic
right
now.
D
E
C
B
I
think
that's
that's
exactly
the
right
point
to
make
I
think
trust
is
is
really
the
key
word
here
because
in
in
some
sense
software
supply
chain
security
is
no
different
than
any
other
kind
of
computer
security.
It
is
all
about
what
happens
when
your
assumptions
are
violated.
You
thought
that
you
know
to
go
back
to
that.
That
example,
that.
B
Later
you
know
some
open
source
library
that
you
were
using
did
one
thing
and
in
fact
it
did
another
and
then
that
caused
a
leak
of
of
private
information
could
also
you
know
be.
You
know,
you
thought
your
build
machine
was
building
things
correctly
and
it
turns
out
your
build
machine
was
compromised
and
hacked,
and-
and
so
you
know
in
some
sense,
all
security
is
the
same.
But
what
really
makes
this
problem
different
and
interesting?
B
Is
it's
about
yeah
trust
like
what,
when
you
are
getting
your
software
from
somewhere
else
and
that
could
be
software,
you
think
you've
written
that
could
be
software.
Someone
else
has
written.
Why
do
you
think
it
is
the
right,
the
right
software
and
I?
Think
that's
why
it's
so
hard
and
scary
to
go
down
this
journey
is
because
the
first
step
is
to
try
to
enumerate
all
of
those
trust
assumptions
that
you've
made.
When
you,
you
know
every
time
you
type
a
coupe
control
apply
right,
like
you
know,
there
are
a
ton.
B
A
B
And
again
it
goes
back
to
you
know.
The
word
assume
is
is
really
key
here,
because
yeah
I
assume,
if
I
publish
something
to
my
GitHub
repository
and
then
later
you
know
that
gets
built
and
deployed.
What
got
built
must
have
come
from
that
GitHub
repository
right,
because
it
says
you
know
it
says
my
name
on
it
and
and
that's
exactly
the
point
Lewis
was
trying
to
make
is
just
because
something
has
a
particular
label
with
the
Twitter
handle.
Just
because
something
has
their
label
doesn't
mean.
A
B
Sure
I
I
can
go
ahead
and
and
take
a
stab
at
that.
Okay,
the
short
answer-
and
this
goes
back
to
exactly
exactly
the
point
about
why
I
kind
of
left,
the
academic
world
before
Sig
store.
We
had
a
bunch
of
great
technology
that
you
could
use
to
sort
of
verify.
The
Integrity
of
your
software's
supply
chain
and
some
of
the
some
of
the
technology
is
cryptographic
right,
digital
signatures
and
and
so
on.
B
Some
of
the
technology
was
was
oriented
towards
you
know
software
deployment
systems
and
nobody
used
it
right
and-
and
so
this
is,
this-
is
in
the
open
source
world
right,
We've
supported,
digitally
signed
software
packages
on
repositories
like
Pi
Pi
for
well
over
a
decade.
At
this
point,
the
the
adoption
you
see
by
package
maintainers
is
low,
low,
single
digits
right
and
nobody
signs
the
packages.
Then
I
can't
have
a
policy
like
I'm
only
going
to
use
signed
software
right.
A
B
And
I
mean
usability
is,
is
such
an
important
part
of
any
technology?
You
know
the
the
prevailing
sort
of
school
of
thought
in
the
1990s
among
among
crypto
folks
was
extremely
optimistic.
It
was
you
know
now
that
we
have
these
algorithms
censorship
is
over
and
you
know
we
can
have,
and
you
see
some
of
this
also
checking
off
the
buzzwords
in
the
in
the
cryptocurrency
world.
B
This
optimism
about
the
like
Supreme,
you
know
like
the
the
importance
of
the
technology
itself
and
once
the
technology
is
in
place
to
do
something,
adoption
will
will
naturally
follow,
but
really
we've
found
that
getting
folks
to
do
the
right
thing
means
it
has
to
be
easy
for
them.
It
has
to
be
convenient,
it
shouldn't
cost
them
anything,
and
so
usability
I
think
it
was
a
missing
ingredient
from
a
lot
of
solutions
for,
in
particular,
digital
signing,
which
is
what
we're
going
to
be
talking
a
lot
about
today.
Okay,.
B
A
B
The
meaning
of
zero
trust
is
is
quite
interesting.
It's
this
idea
that
whenever
you
get
you
know
it
came
mostly
from
from
the
networking
World.
Whenever
you
get
a
network
connection,
you
should
not
trust.
You
know
that
the
data
coming
down
that
pipe
is
actually
from
who
you
think
it
is
because
it
came
in
on
a
particular
Port,
with
a
particular
Source
IP
address.
Rather,
you
should
try
to
use
real.
A
B
Yeah
yeah
and
firewall
is,
is
not
quite
the
right
terminology
to
use,
but
I
think
I
think
it's
in
a
very
analogous
so
priests
and
store
you're
you're
doing
something
to
your
kubernetes
cluster.
Well,
you
type
in
you
know.
Let
me
let
me
download,
you
know:
GCR
dot,
IO
or
hub.doctor.com
Ubuntu
colon
latest
and
because
it's
you
know
coming
from
Docker
Hub,
it
must
be
the
image
that
I
I
think
it
is.
E
B
A
E
A
Before
six
store
people
weren't
using
security
software
not
period
but
not
fully
right
and
then
assumptions
were
being
made
that
think
that
entities
were
well
just
say:
assumptions
were
ring
made
yes
and
then
fuel
snowball
said
that
they've
heard
this
called
onion
layer
security
as
opposed
to
hard
shell.
That's
interesting
I
like
that,
those
those
mental
images
yeah.
B
Yeah
I
think
I
think
that's
that's
a
nice
analogy
right
where,
where
yeah
you,
you
really,
you
know
you
want
defense
in
depth,
is
sort
of
the
term
you
would
use
if
you
were
wearing
a
suit
and
pitching
a
you
know,
military
administrator
on
buying
your
company's
product.
But
all
the
same
idea
right
is
that
you
know
you
want
layers
of
security
you
want
to.
Whenever
you
are
hand
in
software
and
told
to
run
it,
you
should
be
asking.
B
A
E
B
And
the
the
part
of
the
problem
that
it
it
does,
a
really
good
job
with
is
sort
of
assigning
identity,
to
sort
of
actors
in
a
system-
and
that
includes
you
know,
human
actors,
so
I
might
trust
some
software
because
Whitney
built
it
or
because
Lewis
built
it,
but
it
also
assigns
identity
to
machines.
So
I
might
trust
this
binary
because
it
was
built
on
Circle,
Ci
or
Travis
Ci
or
GitHub
actions.
E
B
And
so
prior
to
sing
store.
What
we
would
do
is
you
know
we
would
have
cryptographic
key
material,
you
know
I
would
I
would
generate
a
key
pair.
So-Called
and
I
would
publish
the
public
half
of
that
key
pair
and
then
you'd
have
to
somehow
get
my
key
know
that
it
belongs
to
me.
I
would
have
to
keep
the
secret
half
really
protected.
You.
E
B
Maybe
it's
in
like
a
Hardware
security
module
but,
like
everything
really
does
hinge,
then
on
that
on
that
key,
and
so
when
you
have
that,
if
you
can
sort
of
now,
you
can
say
who's
who,
because
only
Zach
has
Zach's
public
key
trust.
You
know
if
I
sign
a
message
you
can
say:
cryptographically
I
am
confident
that
that
message
was
signed
by
Zach,
because
Zach
is
the
only
person
who
holds
that
key,
but
that
requires
solving
two
really
really
hard
problems.
One
is
one
is
sort
of
key
distribution.
B
You
know
who
how
do
I
get?
You
know
your
key
in
the
first
place
and
a
lot
of
early
cryptographic
systems
have
worked
based
on
a
philosophy
called
Web
of
trust
where
I'll
get
a
key
off
the
internet
and
then
oh,
it
turns
out.
You
know,
Whitney,
you
know,
I
get
Whitney's
key
Whitney
knows
Lewis
and
I
know
Lewis.
So
then
transitively
I
can
start
to
trust
that
you
know
this
key
does
in
fact
belong
to
Whitney
and
this
one's
kind
of
okay.
B
F
B
Laptop
hard
drive
crashes,
you
know
if
my
private
key
was
on
there.
I'm
toast
right
we're
we're
out
of
luck.
There's
nothing
I
can
do
to
continue
publishing
software
signed
with
that
key.
So,
if
we're
requiring
signatures
from
what
you
know,
what
all
all
terms
a
traditional
you
know,
public-private
key
pair,
a
long-lived
public-private
key
pair
and
anything
bad
happens,
we're
in
a
whole
lot
of
trouble.
Yeah.
B
Absolutely,
and,
and
so
like
that's
the
thing
is
like
it
doesn't
just
need
to
be
easy.
It
needs
to
be
the
default
right
and
like
without
thinking
about
it,
and
you
know
if
I'm,
a
developer
and
I'm
just
trying
to
get
my
job
done.
I
shouldn't
have
to
think
about
security,
that's
someone
else's
job,
and
so,
if
you
have
infrastructure
appropriately,
you
know-
and
this
is
a
dream
right-
it's
kind
of
far
off
I'm
sure
most
most
you
know,
developers
and
and
other
other
folks.
B
Listening
have
had
an
incident
where
they
just
wanted
to
do
something
really
simple
and
the
security
team
put
their
foot
down
and
said
no
and
I
urge
you
to
you
know,
respect
them
for
that,
because
they
really
are
doing
what
they
have
to
to
keep
things
safe,
but
the
best
security
Technologies
are
ones
that
we
can
roll
out
and
it's
seamless.
You
know
nobody
has
to
change,
especially
on
the
consumer
end.
B
Absolutely
and
that's
I
mean
I,
think
that's
pervasive
and
kind
of
for
for
a
good
reason,
so
well-intentioned
security
folks,
you
know
a
couple
decades
back
really
started
spreading
spreading
this.
This
idea
that
security
is
hard
and
you
shouldn't
try
to
do
it
yourself,
because
you
know
you
need
special
training.
You
need
to
be
one
of
these
Purity
Engineers
and
I.
Don't
even
totally
disagree
with
that
right.
B
There
are
so
many
subtle
things
that
can
go
wrong
in
the
security
world
that
you
really
are
always
best
best
off
by
by
sort
of
Consulting,
with
an
expert
and
thinking
through,
because
they're
gonna,
they're
gonna
point
something
out
that
you've
never
in
your
life
thought
of,
but
at
the
same
time,
that
attitude
makes
it
so
hard.
For
you
know
everyone
else,
which
is
most
of
the
people
in
the
world
to
adopt
these
security,
Technologies
and
I.
B
A
D
B
F
B
A
B
C
C
They'd
have
to
say
that
they
are
happy
with
it
and
then
we'd
be
able
to
proceed,
and
that
was
usually
a
barrier
to
entry
which
group
it
prevented
us
from
building
what
our
unique
selling
point
was
for
a
company,
and
usually
you
need
to
build
those
things
to
be
able
to
make
money
and
have
a
company
and
so
forth,
and
so
it
was
never
that
fun
and
again.
For
me,
it
was
that
basis
of
king
of
security.
I
I
preferred
at
that
time.
C
Just
compare
this
as
well
to
documentation
it's
a
case
of
if
you've
got
an
idea,
that's
great,
but
until
you
pull
it
down
on
writing
and
it
when
you
start
to
share
that,
that's
when
you
start
making
a
difference
so
with
security.
Again,
it
shouldn't
be
an
after
port.
It
shouldn't
be
something
that
you're
thinking
about.
If
you
make
a
attempt
at
it
and
then
whether
you're,
right
or
wrong,
at
least
you're
starting
on
that
basis,
but
then
because
you're
going
to
be
more
secure
by
starting
than
other
thought.
A
And
sometimes
it's
easier
to
incorporate
it
from
the
grounds
up
to
then
try
to
add
later
Louis.
If
you
want
to
put
that
link
in
the
private
chat,
I
can
transfer
it
over
to
the
the
chat
that
everyone
sees
so
so.
To
recap:
I
have
a
feeling
we're
just
barely
tipping
the
iceberg
here,
but
so
far,
Sig
store
assigns
identity
to
actors
in
a
system.
So
that
includes
what
people
in
processes
and
so
far
that
assists
with
key
distribution
and
key
management,
and
we
say
keys
we're
talking
about
like
the
private
key
infrastructure.
E
B
Yeah
and
so,
and
so
this
isn't
just
you
know
my
my
opinion
right
going
back
to
terms.
Why
should
you
trust
me
just
because
I'm
grumpy
about
you
know
a
particular
set
of
tools
doesn't
mean
that
that
they're
not
any
good,
but
there
is
actually
a
pretty
rich
vein
of
you
know:
academic
research
on
you
know
so-called
usable
security
and
there's
there's
a
bunch
of
papers.
B
The
the
first
one
was
called
why
Johnny
can't
encrypt
and
then
you
know
a
couple
years,
and
that
was
basically
looking
at
some
of
these
tools
that
you
used
for
for
encryption
and
digital
signatures
and
just
watching
people
experts
right
nominal
experts.
They
went
around.
You
know
the
The
Graduate
students
at
a
computer.
You
know
Cutting
Edge,
computer
science
laboratory
and
they
said
you
know,
try
to
use
this
security
Tool
and
they
watched
people
flail
and
then
they
wrote
up.
E
B
They
said
something
something's
got
to
change,
and
then
you
come
back
a
decade
later
and
someone
writes
a
paper
called
why
Johnny
still
can't
encrypt-
and
you
come
back
five
years
after
that
and
there's
why
Johnny
still
still
can't
encrypt
and
so
there's
a
whole
bunch
of
backing
for
this.
This
idea
that
something
is
hard
about
the
the
scheme
that
we've
set
up
for
digital
identities
and
digital
signatures,
and
that's
what
we're
trying
to
make
a
little
bit
easier
and
so
I
could
complain
all
day.
A
B
D
F
B
And
I'd
like
to
be
more
clear:
let's
ask
that
question.
What
do
I
mean
when
I
sign,
for
instance,
a
container
yeah
like
sort
of
the
semantics
question,
is
a
really
really
interesting
one
and
it's
a
really
common
impulse
to
say?
Oh,
like
I,
don't
know
if
I
trust
this
container,
if
it's
signed,
then
it
must
be
secure
and
that's
not
necessarily
A
a
useful
way
of
looking
at
the
problem,
because
what
like,
if
I,
go
and
I
type
a
command
using
Sig
store
to
sign,
sign
a
container
image?
B
Does
that
mean
that
I,
like
hex
dumped
the
file?
You
know
the
the
like
layers
of
the
container
image
and
looked
at
every
byte
on
my
own?
You
know
like
I
I'm,
making
some
assumption
about
like
what
was
in
that
binary
blob
when
I'm
I'm
signing
it
and
so
signatures
on
their
own,
don't
really
mean
anything
other
than
the
person
who
who
owns
the
private
key
chose
to
create
a
signature
on
this.
You
know
byte
stream.
This
binary
data.
E
B
What
we
do
with
the
signature
is
that
imbue
them
with
with
meaning.
So
in
the
example
of
you
know,
Cas
and
and
signatures
there.
You
know
if
I
go
to
example.com
in
my
browser,
example.com
has
a
certificate.
What's
a
certificate,
you
can
think
of
it.
As
a
little
note
that
says:
name
example.com,
you
know
public
key
Innovation.
They
share
the
key
of
example.com
and
then
why
should
you
trust
that
that
certificate?
B
So
what
do
I
mean
by
an
attestation
rather
than
signing
like
think
of
it,
as
like
you're
writing
a
letter.
If
I
just
wrote
you
a
letter
and
I
said
you
know
open
SSL
and
then
I
said
you
know,
sign
Zach
and
I
put
my
you
know,
signature
on
that
and
I
got
it.
Notarized
and
I
handed
it
to
you.
What
are
you
to
do
with
that?
E
A
E
B
Claim
about
usually
a
digital
artifact
and
often
signed
by
a
particular
party
from
the
comments.
Semantics
is
just
a
very
hoity-toity
word
for,
like
meaning
like
what's
the
meaning
of
of
a
signature,
and
so
thinking
hard
about
what
the
meaning
of
a
signature
is,
is
a
big
part
of
trying
to
design
a
secure
software
supply
chain.
A
B
D
E
F
E
C
Think
for
me,
that's
what
signing
and
it
doesn't
have
to
be
a
container
image
either
it's
whatever
digital
artifact.
It
is
it's
this
way
of
where
it's
happening,
to
say
that
this
is
from
us.
This
is
who's.
Doing
it
and,
like
usually,
I'd
use
a
food
analogy
as
well
of
if
you're
going
to
a
restaurant
for
a
meal,
you
don't
necessarily
unless
you're
on
the
chef's
table,
you
don't
get
to
see
the
whole
process.
You
don't
get
to
see
where
the
ingredients
come
from.
You
didn't
see
them
growing
in
the
ground.
E
C
E
C
So
with
this
with
this
signing,
it's
a
way
that
we
can
start
to
identify
this
and
I'd
also
say
because
we
got
security
is
hard
written
there
and
again
like
for
me:
that's
something
which
I
try
not
to
agree
with,
because
and
I
I
think
this
is
as
I've
learned
in
life.
Most
things
in
life
are
hard,
but
it's
a
case
of.
If
you
work
hard,
add
hard
things,
then
you
become
a
bit
easier.
E
B
F
A
B
A
C
Yes,
exactly
if
you
could
keep
me
honest
on
this
bit,
then,
if
I
go
back
to
the
kitchen
for
a
moment,
because
the
other
thing
that
we
have
and
it's
something
that
you
might
start
to
hear
a
bit
more
of
this
provenance
and
with
provenance,
if
you
feel
like
you
should
have
heard
this
word
before,
but
then
you
don't
know
what
it
means.
Just
remember,
origin,
it's
all
about
the
origin
of
something
so
with
attestations.
The
way
that
the
way
I
think
of
provenance
is
the
recipe.
C
B
Yeah
yeah
I
think
so
I
think
so
and
then,
while
while
we're
picking
that
definition,
the
definition
you're
giving
is
almost
more
for
the
foreign
attestation
than
Forest
signature.
And
so
then
the
attestation
is
going
to
be
itself
is
going
to
be
signed.
So
I
might
I
might
rephrase
that
basically
just
say
an
attestation
makes
a
claim
about
a
digital
artifact
and
is
signed
or
something
and
you
just
kill
the
first
line
and.
B
A
Before
agreements
Do
You,
Know,
The,
Four,
Agreements,
I
I,
basically
try
to
live
my
life
with
this
moral
code
called
The,
Four
Agreements
and
it's
the
first
one
is
well,
it's
don't
make.
Assumptions
is
one
of
them,
so
in
life
in
general,
I
try
hard
not
to
make
any
assumptions.
So
I
appreciate
everything
that's
going
on
here,
but
it's
yeah
I'm,
not
sure
it's
an
interesting
show
but
I
think
we're
going
to
produce
a
great
result
here.
So
an
attestation
makes
the
claim
about
the
digital
artifact
and
then
the
signature
signs
the
address.
Yeah.
D
C
But
this
is
where
standing
on
our
shoulders
of
Grimes
comes
in,
because
this
is
lots
of
problems
that
and
as
Zach
mentioned
with
the
with
the
paper
earlier
on,
this
is
complex
and
it
has
and
a
bit
complex
when
there's
a
complex
issue
to
solve.
Then
it
does
there's
complexity
built
with
that,
but
that's
where
six
door
stands
come
in
because
for
me,
that's
where
I
started
with
this.
Essentially
it
was
from
by
end
user.
C
So
we're
telling
you
all
these
problems,
and
it's
all
good
like
this-
is
how
big
it
is,
but
then-
and
this
isn't
and
again
next
one
for
birds
for
Bingo
shift
left
this
isn't
about
putting
it
onto
someone
else.
This
isn't
having
to
go
on
to
a
training
course
for
so
long
to
completely
understand
every
aspect
of
this.
This
is
how
we
can
build.
C
F
E
C
But
we
need
to
put
these
things
in
place
to
be
able
to
build
this
up
for
ourselves
and
so
again,
that's
why
we're
not
solving
all
of
security
here,
but
this
has
given
us
a
from
The
Source
from
the
provenance
from
the
origin.
Thus,
given
us
confidence
to
know
what
we're
building
from
and
that's,
why
I
feel
that
it's
as
important
as
it
is.
B
B
Yeah
then,
let's,
let's
do
that,
let's,
let's
get
into
the!
How
so
yeah
like
I
said:
managing
digital
digital
Keys
is
a
pain
right
you're,
as
opposed
to
you
know,
have
you
know
kind
of
a
a
you
know,
a
top
level
root
key
that
lives.
You
know
on
trusted
Hardware
in
like
a
safe
deposit
box
somewhere
that
and
then
you
take
that
and
you
have
sub
keys
and
you
have
to
have
those
and
again
they
shouldn't
live
on
your
laptop
people.
People
often
do
put
them
on
your
laptop.
B
So
if
any
of
these
get
exposed,
we
gotta
worry
about
that
and
in
managing
these
Keys
is
a
pain
and
like,
if
you
know,
if
we
had
a
physical
audience.
This
is
the
point
at
which
I'd
usually
say
all
right.
Raise
your
hand.
If
you
have
you
know,
pgp
signing
and
encryption
key
somewhere
in
The
Ether
like
you've
made
one,
and
you
don't
know
where
it
is
it's
in
you
know.
B
Maybe
it's
in
the
basement
of
your
house
on
an
old,
hard
drive,
right
and
and
developers
are
as
as
a
rule,
not
obviously
some
people
do
a
very
good
job
of
this,
but
but,
for
the
most
part,
pretty
bad
at
managing
Keys.
Just
because
you
know
that's
not
what
we
do
as
humans
is
pay
attention
to
these
like
little
little
things
that
live
on
a
thumb
drive
people
are
pretty
good
at
keeping
their.
B
If
they
got
into
my
Gmail
account
and
they
wanted
to
ruin
my
life,
it
would
take
them
15
seconds
right
and,
and
so
developers
are
pretty
good
at
managing,
that
kind
of
of
digital
identity
and
and
so
the
the
Insight
behind
six
door
is.
Can
we
turn
the
digital
identities
that
people
already
manage?
Can
we
take
those
and
use
them
for
long-lived
digital
signatures.
B
Sig
store
will
issue.
You
me
one
of
those
certificates,
I
thought
about
or
that
we
were
just
talking
about
that
says.
This
is
Zach
at
google.com.
Sincerely
Sig
store,
right
and
I
can
take
that
and
I
can
go
sign
something
and
then
I
can
take
that
signature
and
that
certificate
and
hand
it
to
someone
else
and
convince
them
that
I
that
I
am
in
fact
rather
than
the
person
that
signed
the
artifact
was
me
at
least
six
store.
A
A
B
So
if
you
click,
you
know,
log
in
with
Facebook
into
a
web,
app
exact
same
trick
that
convinces
that
web
app
that
you
control
a
particular
identity
on
Facebook.
You
can
log
in
with
Gmail
log.
In
with
you
know,
a
large
number
of
of
identity
providers
support
the
protocols
like
this
and
which
ones
are
supported
today
is
is
kind
of
an
accident,
so
we
won't.
E
C
So
at
this
point,
as
well
I'll
just
say
again
back
in
my
developer,
pass
I
once
made
my
own
authentication
server
and
again.
If
you
want
to
lose
sleep,
just
do
that
and
it's
a
basis
as
I
was
saying
because
it
is
ingrained
to
us
day
to
day,
is
that
my
I've
got
a
number
of
things
hosted
on
my
Google
account,
and
so
for
me,
that's
my
point
of
trust,
I
trust,
Google
and
the
security
at
this
level.
I've
got
multi-factor
authentication
set
up
on
my
Google
accounts.
C
I've
got
alerts
whenever
I
sign
in
on
a
new
device,
so
naturally
I'm
built
about
security
for
myself,
and
so
then
we're
also
used
to
doing
that
in
this
process
as
well
standing
on
the
shoulders
of
drones.
We've
already
done
it,
but
you
can
tick
again,
just
in
case
you've
only
just
joined
into
our
Bingo
lingo
game.
B
C
F
C
So
again,
Bingo
and
they're
doing
it
on
a
date
which
doesn't
mean
anything
to
anyone
within
Tech
on
May,
the
4th,
so
I,
don't
think
anyone
will
remember
the
dates
when
that
happens,
but
it
just
shows
again.
It
shows
this
basis
again
where
this
is
an
expected
standard.
This
is
a
this
is
what
I
would
expect
as
a
developer.
Nowadays,
this
is
necessarily
just
security.
This
is
what
I'm
expecting
and
so
having
this
in
place.
C
E
A
C
A
B
B
And
that's
really
useful
for
having
basically
sort
of
cicd
systems
or
or
other
other
things
like
that,
make
plans
right,
because
what
what
does
it
mean
for
you
know,
GitHub
actions
to
say
something.
Well,
GitHub
actions
is
a
system
and
they
can
basically
promise.
I
was
running
this
this
workload,
and
so,
if
you
know
like,
for
instance,
if,
if
you
know
that
a
software
package
was
built
in
JavaScript,
let's
say
using
npm
build,
that's
a
real
command.
B
You
can
and
that's
the
only
thing
that
ran,
and
you
know
what
source
was
the
input
to
that
now.
You
can
be
pretty
confident
that
the
package
actually
matches
the
thing
that
was
on
GitHub
right,
because
otherwise
there's
a
hack
I
can
do
where
I
have
my
beautiful.
You
know
github.com
leftpad
library
and
that's
developed
in
the
open,
and
we
have
two-party
review.
We
follow
all
the
best
practices.
E
B
E
B
E
C
Is
reproducible
builds
for
bit
for
bit
by
for
byte,
which
allows,
but
equally,
when
you're
getting
started
with
sixstor
there's,
there
was
I,
remember
doing
six
door,
the
bashway
and
then
there's
breakdowns
at
each
point,
and
then
it
shows
you
how
to
do
these
things.
But
again,
if
we
start
doing
that
buzzword
again,
drifting
containers,
we
didn't
like
having
drift
previously,
we
didn't
like
it,
but
if
we
created
a
VM,
we
had
SSH
on
to
add
this
package
and
so
forth.
We
want
informal
environment.
So
again
we
want
this
automation
here.
B
B
C
A
C
A
B
A
B
B
B
B
But,
like
you
know,
if,
if
like
me,
you
carry
a
water
bottle
with
you
everywhere,
you
worry
a
lot
about,
losing
it
right
and
and
so,
if
instead
you
just
every
time,
you're
thirsty,
buy
a
plastic
water
bottle
and
throw
it
away.
You
don't
have
to
worry
about
losing
it.
It's
worth
the
effort,
in
my
opinion,
to
bring
the
reusable
water
well
generate
a
bunch
of
plastic
waste,
but
that's
that's.
What
we're
doing
with
with
keys
and
keys
are
free.
You.
D
A
E
E
B
Then
you
hand
the
public
key
to
six
store.
Okay,
it
basically
signs
off
on
that
public
key
and
says
Yep.
This
belongs
to
Whitney
and
then
once
you've
got
that
certificate
you
can.
You
can
use
the
private
key
that
you
have
sign
something
and
hand
them
the
thing
that
you
signed
the
certificate
and
the
signature,
and
someone
will
be
convinced
asterisk
and
we'll
we'll
re,
we'll
revisit,
there's
one
more
step,
but
someone
will
be
convinced
that
Whitney
signed
this
thing.
A
E
B
Yeah
so
yeah
I
hand
you
the
thing
that
I
signed,
so
that's
usually
the
like.
In
our
example,
the
letter
about
openssl
that
I
wrote
to
you,
the
digital
signature
on
that
letter
and
then
the
certificate
which
includes
the
public
key,
and
it
also
includes
the
identity
of
the
signer
and
the
certificate
itself.
You're,
going
to
trust
that,
because
you
trust
Sig
store.
E
B
E
B
Then
I
will
and
then
I
can
verify
the
digital
signature
on
that
that
artifact
or
that
attestation
against
that
public
key
from
the
certificate.
And
if
that
checks
out,
then
I
can
be
pretty
confident
that
Luke,
you
know,
Lewis
gmail.com
or
whatever
the
digital
identity
is
that
we're
using
actually
getting.
B
Yeah
yeah
it
is,
it
is
kind
of
like
its
own
private,
key
infrastructure,
which
is
tooling
for
doing
exactly
what
you
just
said
for
taking.
You
know,
trust
in
some
infrastructure
or
some
service,
or
some
or
like
a
small
number
of
parties
and
turning
that
into
trust
for
a
lot
of
different
digital
identities.
B
E
B
D
B
In
an
operating
system
exactly
and
so
the
component
of
Sig
store
that
does
this-
that
issues
the
certificates
is
it's
called
Full
Co
is
the
name
you
you
might
have
heard
or
falchia
there's
no
canonical
pronunciation
as
far
as
I
know,
f-u-l-c-I-o,
and
so
fulsio
is
the
certificate
Authority.
The
CA
in
Sig
store.
C
F
C
It's
a
blog
post,
titled,
A,
New,
Kind,
Of
Trust
route,
which
shows
the
key
signing
ceremony
and
that
took
place,
which
is
essentially
where
this
trust
is
coming
from
yeah
and
it's
a
case
of
just
to
reiterate
as
well
when
you
have
a
public
key
that
allows
you
to
decrypt
and
only
decrypt.
It
doesn't
allow
you
to
encrypt,
and
so
that's
why
private
keys
are
important
because
we
can
encrypt
with
them
and
that's
what
allows
our
trust
and
to
finish
up
with
Zach's
Point
as
well.
C
E
C
There's
such
a
reduced
attack
Vector
on
this
so
again,
I
might
be
going
a
bit
too
deep
now,
but
it
but
again,
this
is
where
for
me,
this
is
where
it's
huge,
because
it
we're
getting
so
much
we're
getting
so
much
from
what
we've
learned
previously
in
Tech,
and
this
is
all
just
getting
baked
in
so
this
is
also
easy
to
consume.
Now.
A
Foreign,
so
that's
wonderful
and
I'm
glad
you
brought
up
again
the
ephemeral
part
because
I
wasn't
I
wasn't
including
that
in
my
mental
model,
so
every
time
I
went
so
two
things
went
to
communicate.
Six
door
sits
in
the
middle
every
time,
they're
communicating
a
new,
see
a
new
key
pair
gets
made
and
verified
and
discarded.
Over
and
over
again,
you.
B
Kind
of
but
but
what's
what's
interesting
and
different
about
Communication
in,
like
a
a
you
know,
software
supply
chain
is
that
typically,
the
way
it
works
is
not
that
I'm
talking
to
you
live
and
sending
you
the
bits
of
my
you
know,
container
image
right.
You
know
synchronously,
but
rather
all
create
the
the
container
image
make
a
signature
on
that
container
image
all
go
away,
I'll
go
on
vacation
or
retire
or
whatever.
You
might
still
want
to
verify
that
container
image
much
later
and
Lewis
might
also
want
to
verify
that
container
image.
E
A
B
D
B
When
I
said
bundle,
the
ca
root
bundle
is
bundled
with
your
computer,
that's
kind
of
true,
but
more
often
it's
bundled
with
your
browser.
So
when
you
download
Chrome
or
Firefox
for
the
first
time,
that's
going
to
come
with
a
little
bundle
of
things
to
trust
baked
into
it
and
that's
how
we
do
it
in
six
store
as
well.
B
Typically
you're
going
to
bake
the
the
sort
of
root
of
trust
for
Sig
store
into
the
Sig
store,
binary,
which
I
think
makes
actually
a
good
bit
of
sense,
because
if
someone
was
able
to
compromise
the
tool
that
you're
using
to
verify
signatures
like
at
your
it's
already
game
over
right.
If,
if
you're
asking
this
tool,
are
you
verified.
E
B
E
A
B
Like
so
so,
yeah
I'm
gonna
produce
an
artifact
I'm
going
to
sign
it.
Part
of
that
sign
involves
me
authenticating
with
six
door,
so
I
have
to
click
log
in
with
you
know,
Google
or
or
whatever
button
I
get
the
certificate.
I
I
signed
the
artifact
and
then
I
can
publish
that.
However,
I
want
maybe
I
stick
it
in
my
container
registry.
A
A
B
A
B
B
A
C
I'm
gonna,
so
if,
when
you
purchase
something
from
a
store,
you
get
a
receipt
and
the
item
that
I
purchase
it,
it
states
till
I
purchase,
save
a
spun
and
there's
my
receipt
for
it,
and
it
says
at
this
moment
in
time:
I
did
this
transaction
and
there's
my
receipt
for
it.
It
doesn't
necessarily
state
that
the
bun
was
fresh
or
anything
to
that
effect,
but
it
confirms
that
it
was
maybe
that's
where
six
stories
more.
It's
not
so
much
about
the
building
of
the
making
of
that
bun.
C
It's
more
of
the
identity
of
that
process.
At
that
moment
in
time
to
say
all
right.
So
when
I
bring
you
the
bun,
then
it's
the
case
of
Lewis
Scott,
you've
done
because
you
can
see
the
receipts,
but
then,
if
a
bun
again
we
don't
want
it
to
be
that
the
bun
has
got
terrible
stuff
in
it.
But
that's
the
way
that
trust
is.
You
see
me
and
then
you're
like
I
trust
you
Lewis
would.
E
B
B
E
B
E
B
E
F
B
D
A
E
B
They're,
making
no
Claim
about
like
six
door
is
not
weighing
in
on
whether
that
claim
I
made
is
true
or
not.
It's
just
saying
that
I
said
it,
and
this
is
this
is
kind
of
what
a
real
life
notary
will
do.
Right,
you'll
sign
a
document
in
front
of
a
notary
and
the
notaries
got
their
stamp
and
their
stamp
says.
Yes,
in
fact
the
it
was.
You
know,
Zach
who
signed
this
document
and
that's
the
job
of
the
notary,
the
notary
doesn't
say
the
claims
in
the
document
are
true.
B
B
No-
and
it's
really
important
to
get
this
right
and
I
think
I.
Think
one
of
the
key
lessons
here
is
that
you
actually
are
able
to
say
more.
If
you
claim
less
and
and
what
I
mean
by
that
is,
if
I
wanted
to
build
a
service
to
verify
that
a
container
was
good
and
then
have
that
service
vouch
for
containers,
I.
D
E
B
D
A
Policy
feels
like
maybe
a
can
of
worms
or
I,
do
want
to
capture
that,
but
before
we
do
I'm
kind
of
the
logistics
of
this
I'm
not
quite
done.
My
mental
model
is
not
quite
there,
and
that
is
what
like
this,
like:
we're:
we're
verifying
trust
in
a
container
image.
So
presumably
this
is
getting
pushed
to
a
registry
and
therefore
that
image
in
the
registry
can
be
trusted
like
how
is
are
all
three
artifacts,
bundled
together,
so
that
the
the
image
is
pulled
or
like.
B
B
Yeah,
that's
a
great
question
and
this
gets
to
the
kind
of
logistics
right
from
a
theoretical
perspective.
It
doesn't
matter.
I
could
print
these
out
and
mail
them
to
you
and
you
could
type
them
into
your
computer
of
the
same
bytes
and
you
could
do
that
verification.
Obviously,
from
a
real
life
perspective.
It
does
matter,
and
so
the
tooling
that
we
use
in
six
store
will
go
ahead
and
stick
so
that
image
is
in
the
registry.
B
We'll
actually
go
ahead
and
stick
that
at
a
station
and
that
certificate
also
into
the
registry
as
well
kind
of
alongside
the
container
image
and
it's
kind
of
a
hack,
it's
kind
of
a
hack.
How
we
do
that,
so
we
can.
We
can
get
get
into
that
or
not
get
into
that
as
as
desired.
But
but
there's
a
new
feature
in
oci
that
basically
lets
you
attach
things
to
a
container
image
and
that's
that's
what
we're
doing.
D
A
D
A
B
Guess
yeah,
so
anybody
can
do
this
same
verification
process,
so
it
depends
on
like
what
what
you're
trying
to
do.
So
you
could
imagine
doing
this
from
a
kubernetes
admission
controller.
You
could
imagine
doing
it
from
the
register.
You
could
imagine
doing
it
from
the
command
line
you
know
manually
and
and
all
supported
so
I'm
going
to
use.
You
know
the
word
verifier
interchangeably
for
all
of
these
scenarios.
E
A
C
But
before
we
do
not
just
because
I
think
it's
one
thing
just
to
stay,
because
we've
focused
purely
on
containers
at
this
moment
with
that
image,
and
that
last
point
and
then
it's
just
to
say
that
it
doesn't
just
have
to
be
containers
here.
It's
the
case
of
it
could
be
a
git
commit,
for
instance,
so
you
can
sign
a
git
commit
at
this
moment
in
time.
C
That
same
process
happens
for
this
different
binary
essentially,
but
it
could
also
be
a
blob
it
could
be,
it
could
be
a
binary
itself
and
these
things
that
we're
signing
and
again
this
is
all
just
about
building
up
Trust
of
that
stage,
and
you
put
it
quite
eloquently
as
well
Whitney
just
to
say
well,
do
I
need
to
validate
this,
and
then
that
takes
us
all.
The
way
back
to
the
past
is
a
case
of
well.
C
You
didn't
have
the
option
to
validate
this
in
the
past,
necessarily
because
we
didn't
have
what
we've
been
discussing.
You
can
validate
this
and
not
everyone
would
potentially
want
to
validate
it.
That's
cool
we're
all
ourselves.
We
all
live
differently
great
for
that.
But
if
we
go
back
to
that
food
analogy,
if
you
food
analogy,
if
you
had
a
food
allergy,
so
if
you're
allergic
to
peanuts
or
shellfish,
when
you
go
to
a
restaurant,
your
experience
is
a
bit
different
to
someone
else.
You
don't
just
sit
down
and
say
I'll
order.
D
C
It's
taken
so
much
time
and
effort
to
do
so,
then,
over
time
we're
going
to
get
cves
we're
going
to
have
zero
days,
we're
going
to
have
issues
that
we
learn
with
that,
but
if
we
can
adopt
to
utilize
new
code-
and
we
can
use
tools
such
as
this
to
be
able
to
imply
trust
so
that
we
can
say
this
is
coming
from
a
trusted
organization.
This
is
coming.
We've
seen
the
processes
we've
seen
their
audits.
E
E
A
It's
not
limited
to
this
one
yeah
great
excellent
and
trust
and
trust
and
assumptions.
It
all
comes
down
to
trust
and
assumptions,
absolutely
all
right.
So
so,
let's
talk
more
about
the
ephemeral
nature
of
the
certificates,
and
maybe
now
that
we
have
this
diagram
drawn
out.
We
can
talk
about
how
what's
fair
ephemeral
and
what
we're
trusting
here.
Yeah.
B
Yep,
so
this
goes
back
to
that
that
difference
in
sort
of
the
needs
of
public
key
infrastructure
for
browsing
the
web
and
for
verifying
long-lived
artifacts
when
I
am
you
know,
connecting
to
Twitch
right
now,
I'm
doing
that
at
a
moment
in
time,
and
so
when
twitch
gets
its
certificate
from
the
certificate
Authority
that's
going
to
have
some
quote
unquote
validity
period.
What
is
the
dates
between
which
this
is
valid?
F
B
B
That
goes
in
the
certificate
is
like
an
expiry
date.
Basically,
so
that
doesn't
work
for
the
long-lived
artifacts,
necessarily
because,
if
the
artifacts
expire,
then
that
means
they
might
expire
because
before
like
they,
they
might
still
be
good,
but
go
ahead
and
expire
anyway,
and
then
I
have
to
go
back
and
resign
them
and
if
I
forget
to
resign
them,
you
know
prod
goes
down
like
like
really
what
we're
trying
to
avoid.
So
what
we
do
here
is
we
say:
well,
the
lifetime
of
the
certificate
isn't
really
about.
B
How
long
is
the
claim
in
the
certificate
Val
or
the
claim
in
the
attestation
ballot?
The
certificate
is
much
more
about.
When
did
the
signing
happen,
so
what
you
can
do
is
you
can
attach
for
that?
One-Time
use.
Key
I
only
need
to
use
it
for
the
next
you
know
say
10
minutes.
So
when
I
get
that
specific,
it's
actually
going
to
say
you
know
it's
valid
between.
You
know:
12
25,
pm
and
12
35
pm.
E
B
Idea
for
it
10
minutes
from
now-
and
this
is
really
nice
because
it
means,
even
if
somehow
someone
you
know,
I
I
didn't
clear
my
memory
and
someone
some
attacker
got
it
or
whatever
happened,
they're
not
going
to
be
able
to
do
anything
with
it,
because
we're
going
to
that.
The
signature
happened
at
the
right
time
and
for
that
we
need
a
new
service.
A
B
A
A
B
D
E
A
A
B
A
E
B
E
A
F
A
B
Yeah
yeah
I
mean
once
we
have
the
time
stamps,
then
the
the
you
know
certificate
can
be
only
valid
for
a
really
short
period
of
time
if
our
verifying
a
couple
weeks
from
now
goes
and
they
check
the
time
that
the
signature
happened
at
and
that
was
before
the
certificate
expires
in
pretty
good
shape.
You
know
it's
not
like
an
old
leaked
key.
You
know,
you
know
nothing.
Nothing.
A
A
B
B
C
And
so
from
working
with
people
with
this
as
well,
this
is
these
are
difficult
things
to
get
your
mind
around
and
this
aspect
because,
as
Zach's
been
alluding
to
this,
isn't
part
of
the
build
process.
Essentially,
this
is
a
way
of
identifying
trust
to
things
that
are
happening,
so
this
isn't
just
this
isn't
necessarily
a
muscle
that
you
use
quite
often
if
this
is
going
into
a
bit
of
a
different
direction.
Right.
B
A
B
A
C
A
F
B
No
and
that's
actually
true,
once
you
have
the
tools
installed,
it's
you
know,
cosine
sign
my
container
image,
your
browser,
pops
up,
you
click
log
in
with
my
my
Google
account
or
whatever,
and
then
it
it
just
does
all
the
rest
in
the
background,
and
then
you
can
type
cosine
verify
my
container
image.
You
pass
a
flag
to
say,
make
sure
you
know.
Lewis
used
his
Gmail's
account
to
sign
this
thing,
and
then
it
just
happens.
So
yeah
really
two
lines
of
bash
one:
to
sign
one
to
verify.
C
And
if
I
could
use
parallels
to
kubernetes
for
a
moment
so
when
I
got
started
with
kubernetes,
I
didn't
really
know
much
about
networking
and
I
learned
about
kubernetes
services
and
so
I
started
with
kubernetes
services
and
I
worked
my
way
to
understand
networking
and
it's
a
similar
basis
to
that
in
the
with
six
store.
This
is
a
way
that
we
can
build
the
trust
with
identity.
We've
gone
through
the
history
of
this
we've
gone
through
the
problems
and
again
the
complexity
of
the
problem
also
brings
that.
C
C
But
it's
stunning
on
the
shoulders
of
giants.
Yeah
again
it's
a
space!
You
don't
need
to
go
through
a
whole
security
program.
You
don't
need
to
understand
every
Edge
case
scenario,
but
the
people
who
have
worked
with
this
and
this
is
open
source
as
well.
So
this
isn't
just
an
opinion
Viewpoint
from
a
single
group.
This
is
industry-wide
as
part
of
the
open
ssf.
C
These
are
the
best
practices
that
we're
putting
in
place
yeah.
Thank
you
all
right
on
the
ephemeral
certificates
as
well.
I,
don't
know
if
this
will
potentially
help
just
in
case,
but
the
ephemeral
certificate
isn't
just
the
ephemeral
certificate
is
essentially
a
child
of
another
trusted
certificate.
So,
even
though
we're
seeing
it's
ephemeral
and
it's
throw
away
from
a
secure
place
so
that
we
can
trust
it,
it
isn't
just
this
random
certificate
that
we're
just
making
randomly
elsewhere.
C
A
C
And
it's,
and
as
well
with
recore,
for
example,
it's
it's
based
on
a
miracle
tree
and
which
Fenn
has
similarities
with
Git
and
I
once
said,
I
when
I
joined
chain
guard
Zach
went
through
that
with
me,
and
it
was
such
an
amazing
time
learning
so
much
from
Zach.
But
again
it's
and
I
think
Luke
Heinz
as
well,
so
Luke
Heinz,
GIF
Luger
mentioned
he.
C
He
said
this
in
a
number
of
talks
about
sixer
as
well,
and
this
is
basis
of
this,
bringing
the
right
tools
together
to
achieve
this
goal,
and
so
this
is
again
I
think
you
mentioned
about
doing
this
from
a
shed
in
Bristol
in
the
UK
during
lockdown
and
so
forth.
But
it's
this
basis
of
God
I've
said
it
so
many
times
shores
of
giants.
It's
it's
best
practices
and
it's
using
it.
This
isn't
just
a
new
OB
fingers
might
work.
C
This
is
this
is
tried
and
tested
Solutions
put
into
a
position
where
now,
if
with
it
becoming
ubiquitous
with
it,
becoming
easy
to
use
and
because
it
isn't
just
on
container
like
I
said
it
could
be
gitmates,
it
could
be
blurbs.
The
more
trust
that
we
can
put
into
this
as
well
the
healthy
develop
make
it.
A
And
John
says
great
acknowledgment.
The
work
is
that
two
lines
of
bash
plus
years
of
Blood
Sweat
and
Tears
and
Louis.
You
actually
said
something
like
where
like
so
much
has
come
together
to
accomplish
this
goal,
but
then
I
realized,
like
our
definition,
doesn't
say
a
goal
like
what
is
the
bottom
line?
What
is
the
goal.
B
D
A
B
And
and
sixth
score
tackles
one
the
the
sort
of
identity
problem,
which
is
only
a
small
component
of
secure
software,
but
basically,
when
something
you
know
a
container
image,
a
binary
comes
to
you,
along
with
you
know,
a
claim
about
why
you
should
trust
it,
and
then
that
claim
is
signed
by
someone.
You
in
fact
do
trust.
Then
we
can
be
it's
not
perfect.
It's
not
gonna.
Stop.
Issues
like
you
know,
there's
a
new
vulnerability
in
an
open
source
library
that
no
one,
because
that
wasn't
malicious
right.
B
That
vulnerability
was
just
an
accident,
so
we're
not
going
to
stop
accidents,
but
we
are
going
to
stop.
Is
things
coming
from
different
actors
than
you
thought
they
were
coming
from?
I
thought
I
was
getting
this
package,
you
know
from
the
nump
high
maintainers
and
in
fact
it's
Lewis
trying
to
trick
me
right.
E
D
C
Yes,
I'll
I'll
try
my
attempt,
if
you
want
so
you
can
so
I
believe
a
goal
is
about
understanding
what
we
have
control
over
if
we're
pulling
in
dependencies
from
third
parties,
and
that
is
open
sorted
and
it's
a
great
thing
to
do,
and
it's
what
we're
building
the
Internet
it's.
What
we
build
on
is
open
source,
but
we
also
need
to
have
trust,
and
so
in
there
are
times
in
your
life,
where
you
can't
build
all
the
software
locally.
You
can't
test
something
like
that.
C
You
need
to
have
trust
in
place
and
it's
identifying
where
those
trust
boundaries
are
so
with
this.
This
gives
us
a
way
that,
once
we
can
identify
a
way
to
trust
someone
or
something
whether
it
be
that
I
trust
this
organization,
I
trust
this
person.
I
trust
is
identity.
Once
you
get
to
that
point,
then
that
allows
you
it's
it's
allowing
you
to
have
that
secure
way
to
be
able
to
say
I
do
trust
this.
C
B
C
E
C
Show
just
like
I
can
see,
we've
only
been
here
for
an
hour
and
almost
45
minutes
and
again
it
just
I
think
it's
actually
an
amazing,
wonderful,
human
being
and
the
knowledge
is
phenomenal
and
I
equally
to
Whitney.
So,
but
with
that
trust
in
because
we
didn't
really
two
hours
ago,
we
didn't
all
know
each
other
as
well
as
we
do
now
and
and
it's
to
put
ourselves
in
this
position.
We've
got
to
have
trust
in
each
other
to
say
we're
going
to
go
on
the
internet.
C
D
A
B
One
more
detour
along
the
way,
I
think
so.
So
one
thing
we've
done
here
is:
we've
made
Sig
store
an
incredibly
load-bearing
part
of
our
our
whole.
You
know,
like
trust,
ecosystem
right.
If
someone
compromised
Sig
store,
they'd
have
control
over
everything
right
like
they,
they
can
start
start
impersonating.
Anybody
that.
B
Unfortunately,
that's
not
you
know
if
we
knew
how
to
do
that,
we
wouldn't
have
any
of
these
problems
in
the
first
place.
I,
don't
I,
don't
think,
and
so
the
second
best
thing
is
make
it
accountable,
and
so
what
I
mean
by
that
is
we
basically
make
all
both
of
these
components:
full
Co
and
recore.
We
make
them,
show
their
work
right.
A
B
That's
that's
the
short
of
it,
the
the
long
of
it
would
be
now.
This
complicates
how
we
do
our
verification.
One
thing
that
you
can
do
as
part
of
this
verification
is:
you
can
also
check
that
that
certificate
is
in
the
public
record,
and
you
can
check
that
the
the
time
stamp
is
in
the
public
record
and
what
this
does
is.
It
means
that
if
Sig
store
is
cheating
and
they're
trying
to
they
did
something
bad
and
then
they
they
didn't,
publish
it
you're,
just
not
going.
B
You're
only
going
to
accept
you
know,
certificates
that
are
are
public,
which,
which
basically
forces
everything
that
that
Sig
store.
Does
it
forces
it
out
into
the
open,
because
you
could
ask
nicely
for
them
to
to
on
to
be
nice
and-
and
you
know,
put
everything
in
the
public
record.
But
if
you
don't
require
it,
they
could
just
hide
any
shenanigans.
A
B
C
But
also
just
be
completely
away,
because
this
is
a
first
question
that
people
ask,
then
is
well
what
about
my?
What
about
my
image?
What
about
my
blog?
What
about
my
git
commit?
Am
I
meeting
that
publicly?
No,
it's
just
that
part
of
it.
It
is
purely
that
so
the
only
unique
identifier
to
you
would
be
the
email
address,
but
again
other
than
that
it's
well
email
address
and
what
you
use
to
authorize
yourself,
I
presume,
but
I
and
yeah
yeah.
E
C
C
F
B
F
A
B
Would
ever
be
able
to
track
me?
Instead?
What
we
do
is
we
we
use
some
cryptographic
tricks
and
based
on
the
the
space
remaining
on
this
white
board.
I'm
gonna,
I'm
gonna,
say
we'll
table
that
for
for
today,
okay
cryptographic
tricks
to
enforce
that
anything
that
goes
in
the
log
never
leaves
and
the
way
that
that
works
is
I'm.
Gonna
go
check
on
the
log
today
since
you're
going
to
say
great.
E
C
I
don't
need
we
haven't
mentioned
cosine,
which
is
a
tool
that
you
might
use
to
be
able
to
sign.
Containers
I,
think,
there's
everything
that
we've
gone
through
really
identifies
how
this
is
a
difficult
problem,
but
and
we've
gone
and
I
would
say:
we've
groked
it
into
a
level.
So
all
this
information,
this
isn't
a
cognitive
load
that
you
need
to
pass
on
to
your
team.
This
isn't
a
two-hour
video
that
you
need
to
pass
on
your
team
to
say
right,
we're
using
this
now.
C
This
is
a
basis
of
just
saying
to
you
to
give
you
trust
and
just
being
able
for
you
to
be
confident
to
say
we
can
trust
Sixto.
We
can
use
this
to
help
trust
and
also
the
the
last
thing
I'll
just
add
to
this
as
well.
When
you
do
share
this,
there's
usually
a
focus,
and
this
is
completely
fine.
It's
usually
a
focus
on
yourself,
it's
usually
a
focus
of
well.
What?
What
does
this
give
us?
And
this
isn't
about
yourself?
C
This
is
about
people
who
are
consuming
artifacts
you're,
creating
you're,
passing
this
trust
you're,
allowing
those
people
in
the
future
who
are
downloading
or
utilizing
these
artifacts
using
their
containers
he's
in
the
box.
Is
he
using
it
to
be
able
to
give
them
trust
in
what
they
are
using
is
giving
them
the
trust
be
able
to
run
with
it?
Yeah
I
think.
That's
me.
B
B
We
bundle
all
of
that
complexity
up
into
a
a
simple.
You
know,
tool
called
cosine
which
is
going
to
handle
all
of
the
steps
in
signing
and
all
of
the
steps
in
in
verifying,
and
it's
got
a
bunch
of
neat
tricks
that
it
that
it
does
for
containers
in
particular,
for
container
signing
is
the
name
of
the
tool
and
then
it
kind
of
evolved.
Oh.
B
B
B
D
B
B
Yeah
and
and
so
I'll
also
cover
cover
a
related
topic
which
is
like
how
are
people
actually
using?
This?
Are
people
actually
using
this
and
and
I
think
these
are?
These
are
kind
of
the
same
question
because
you
really
like
this
is
a
building
block
and
the
needs
of
you
know
a
Bank
to
to
take
one
example
are
going
to
be
different
from
the
needs
of
an
open
source.
You
know
ecosystem
right
like
these.
Are.
These
are
very
different
organizations.
B
Very
different
individuals
involved
in
the
organization
sometimes
overlap,
but
you
know,
and
and
so
like.
If
I'm
a
company
I
can
require
that
all
of
my
employees
carry
you
know
an
ID
card
or
something
like
that:
I'm
npm
or
Pi
Pi,
one
of
these
open
source
package
repositories,
I
can't
really
require
you
know
that
of
of
people
I
can
I
can
maybe
recommend
it.
B
I
can
maybe,
in
some
cases,
pepei
did
a
really
great
initiative
to
to
kind
of
roll
out
two-factor
off
on
a
lot
of
their
the
most
popular
packages
and
I
think
the
it's
possible
that
they'd
extend
that
in
the
future
to
to
Encompass
even
more
people
but
the
need.
We
want
this
to
be
a
building
block
that
you
can
use
to
address
the
needs
of
your
organization,
because
the
needs
of
every
organization
and
ecosystem
are
totally
different.
B
B
So
they
said.
Can
we
prevent
just
that
kind
of
attack?
We
don't
have
to
solve
the
world
right
now
to
prevent
just
that
kind
of
attack
and
there's
a
an
accepted
proposal
in
npm
to
do
exactly
that.
To
require
that
when
you
publish
your
npm
package,
it
comes
along
with
a
note
from
a
trusted
build
environment.
So,
like
Circle
CI,
try
to
say
I,
you
know
GitHub
actions.
E
B
E
B
E
B
B
E
E
A
B
Of
the
important
granular
control
and
who
said
it
too,
and
in
this
case
the
build
environment,
though
that's
not
really
a
person-
is
kind
of
the
actor
that
that
we
care
about.
So
then
that
build
environment
is
going
to
sign
it
and
that's
a
weird
thing
to
conceptualize
right,
because
it's
not
a
person
but
like
it's
a
an
actor
in
the
system
and
and
so
if
that
build
out
of
station
Sig
store,
enables
signing
that
build
data.
B
Station
right
I
can
create
that
build
data
station
right
now
on
my
laptop
by
typing
it
into
into
a
text
file.
What
six
girl,
let's
just
do,
is
to
say
hey.
We
have
this
attestation,
let's
like
it,
can
be
signed,
and
then
you
can
trust
that
the
person
who
signed
or
the
actor
that
signed
it
actually
vouches
for
for
the
attestation.
B
B
A
C
So
it's
more
of
a
basis
of
within
this
example
I
want
to
ensure
that
it's
going
by
the
Builder,
that's
the
reason
I
want
it
to
go
via
the
build
service
is
because
we've
built
up
Security
in
our
build
service
external
to
six
store,
but
we've
made
sure
that
it's
hardened
we've
made
sure
that
it's
difficult
to
attack
compared
to
someone's
laptop.
So
if
I
built
something
on
my
laptop
there's
lots
of
dependencies
on
here,
I'm
on
my
home
network,
there's
lots
of
things
that
could
potentially
go
wrong.
C
So
that
claim
is
happening
at
that
stage
inside
that
build
service
in
this
example
and
we're
we're
seeing
with
this
claim
that
it's
happening
at
this
moment
in
time,
the
identity
that
we
have,
if
we're
using
Circle
CI,
for
example-
or
let's
say
you,
have
actions
the
GitHub
action,
the
identity
in
there
would
be
I'm,
trusting,
GitHub
and
so
GitHub
then
trusts
great
Hub
of
the
same
to
me.
If
you
trust
me,
you
can
trust
that
this
machine
identity
is
a
GitHub
action
identity.
So
from
that
basis,
I
can
say
well.
C
D
B
A
B
Saying
something
is
sufficient
for
me
to
trust
it,
because
if
I
know
Lewis
is
a
liar,
maybe
I
I,
don't
trust
that
artifact.
But
if
I,
if
I
you
know,
have
a
good
relationship
with
Lewis
as
I.
Do
then
in
fact
you
know
I
will
I
will
take
that
that
signed,
claim
from
Lewis
and
I
say:
okay
great,
then
I
am
happy
to
run
this
on
on
my
production
environment.
So.
C
And
let's
just
take
a
first
of
all,
thank
you
for
that
Zack
and
I
needed
that
today,
but
let's
also
just
take
that
back
just
all
the
way
back
to
the
other
side
of
the
screen.
When
we're
just
saying
how
do
we
identify
these
people?
So
it's
like
utilizing
either
Google,
where
you've
got
multi-factor
authentication
GitHub,
where
you've
got
multicult
Authentication,
so
that
when
we
know
that
we're
issuing
virus
identity,
then
that's
given
us
trust.
That's
where
our
trust
is
building,
so
that
identity
is
strong,
yeah.
C
I
I
was
just
gonna
and
I'll
do
my
lights
level
before.
If
we're
going
back
to
our
driving
sorry,
our
driving
licenses
in
the
UK,
we
have
our
date
of
births
on
there
and
that's
usually
used
to
get
into
nightclubs,
and
so
that
is
a
testing
that
I
am
who
I
am
just
got
my
date
of
birth,
which
is
my
claim
now.
The
policy
in
the
UK
is
is
that
I
need
to
be
18
or
over
to
be
able
to
enter
the
nightclub.
So
that's
a
policy
in
the
UK
in
the
US.
C
C
A
A
B
D
B
Earlier
at
the
top,
so
open
AI,
which
is
the
company
behind
you,
know,
GPT,
and
all
that
had
a
a
little
bug
which
is
actually
extremely
bad
for
privacy,
where
I
would
log
in
and
I
could
see.
Total
strangers
is
like
the
titles
of
the
conversations
that
they
had
with
with
chat
GPT.
So
you
you
log
into
chat
gbd,
you
say
new
new
conversation,
you
give
that
a
title,
and
then
you
start
typing
things
to
and
from
chat
kpt
so
like
this
could
be
sensitive
right.
B
F
D
B
Under
the
bus-
some,
you
know-
probably
possibly
you
know-
volunteer
open
source
maintainer,
who
just
did
something
in
their
spare
time
now.
Your
many
billion
dollar
company
exposes
a
bunch
of
private
user
information
and
you're
trying
to
put
it
on
on
this,
like
volunteer
effort
and-
and
so
it's
caused,
I
think
a
little
bit
of
a
controversy
there
and
so
I
think
the
questions
just
get
your
thoughts
on
yeah,
so
I
can
tell
you.
Six
door
is
not
going
to
prevent
that
kind
of
an
issue
right.
B
D
A
B
And
a
lot
of
this,
a
lot
of
this
hasn't
been
really
tested
in
court.
But
if
you
read
any
of
these
open
source
licenses
that
that
folks
publish
libraries
under
they
all
have
this
phrase
in
it
without
warranty,
you
know
this.
This
software,
prod
product
or
library
or
whatever
it
is,
is
presented
without
warranty.
B
B
And
so
the
the
current
presidential
Administration
is
is
experimenting
with
proposing
rolling
out
policies,
not
not
these
kinds
of
policies,
but
but
legal
policies
around
liability
for
software
that
you're
consuming
and
saying
like
well
like.
Okay,
maybe
you
know
we
can
come
up
with
something
reasonable
where,
if
you're
paying
a
company
for
a
license
and
then
that's
why
it
breaks
you
could
like
they're
the
one
who's
liable.
But
if
it's
free
and
that's
you
know
the
relationship
you
have
with
the
maintainer,
is
you
just
downloaded
something
off
the
internet?
B
Yeah
they're
they're,
not
at
fault,
so
I?
Think
of
of
this
class
of
bug
as
absolutely
a
software
supply
chain
security
problem,
it's
different
right
than
the
problem
of
getting
something
malicious
or
getting
something
from
someone
different
than
what
you
expected.
But
it's
it's
absolutely
the
same
class
where,
like
I
downloaded
some
software
included
it
in
my
application
and
because
of
that
software,
not
because
of
software
that
I
wrote,
I've
compromised.
A
Wonderful,
thank
you
for
that.
Do
you
have
any
nuggets.
You
want
to
hide
on
the
board,
Louis
or
or
the
last
thing
we're
going
to
do
to
close
out
the
show.
Well,
two
things
one
is
the
first
one
is
I'm
going
to
recap.
Everything
yellow
taught
me
today
to
make
sure
that
we
have
a
clear
understanding
of
everything,
but
I
wanted
to
see.
If
you
want
me
to
add
anything
to
the
board
Lewis
before
I.
Do
that
no.
C
I
think
the
board
is
fantastic
in
itself.
This
is
also
going
through
this.
It
helps
me
understand
more
about
it's
a
tough.
It
can
be
tough
to
get
started
with
these
things,
but
the
way
that
I
see
the
Samsung
volleyball
in
talking
about
chat
gbt
there
I
haven't
looked
into
it
myself,
but
thinking
that
I
have
now
after
using
six
stories,
is
that
well
with
using
chat
gbt.
Where
is
this
data
models
coming
from
and
who
is
authorizing
her
because
this
is
a
risk?
C
I'd
say
wears
a
case
of
if
these
data
models
have
been
corrupted
or
if
I,
if
I
put
in
a
base
image
for
a
Docker
file
that
I've
actually
owned
and
then
touch
EBT
recommends
me
using
this
base.
Image
and
I
put
my
trust
into
chat
GPT.
What
happens
there,
and
this
isn't
a
case
of
how
this
we
don't
all
need
to
go
away
now
and
make
tin,
foil
hats,
and
then
just
wait
for
everything
to
blow
over.
But
the
basis
of
this
is
I.
C
B
C
Isn't
any
more
cognitive
load
onto
our
already
stretched
areas
and
using
this
now
it
helps
us
to
improve
our
posture
for
a
future
yeah,
so
I
hope
I've
said
enough.
There
might
be
nuggets
somewhere
in
there,
but
I
think
the
main
thing
is
at
the
start
is
just
I'm
a
firm
believer
nowadays
for
this
best
to
get
the
conversation
started,
it's
best
to
write
a
line
of
documentation
and
ask
someone
to
review
it
to
get
their
opinion,
not
just
to
have
that
Health
in
your
head
and
it's
the
same
with
security
I.
C
Don't
think
you
should
be
waiting
for
someone
else
to
come
and
say
maybe
we
should
be
more
secure,
I
think
it's
important
that
when
you
see
something
that
doesn't
feel
right
or
doesn't
look
right
or
you
think
actually
this
might
not
work
out
well,
I
think
it's
important
that
we
improve
and
Harden
our
systems,
our
industry,
because
you
can
go
on
hack
and
use
most
weeks
and
then
you
can
see
something
else.
That's
going
wrong
in
the
world,
so
we
just
need
to
start
heading
hardening
in
place
and
this
isn't
a
silver
bullet.
A
All
right,
I'm
going
to
jump
in
on
this
recap:
let's
see,
let's
see
how
we
did
so
the
world
before
six
store
people
weren't
using
all
available
available
security
software,
and
that's
because
it
was
really
hard
to
implement
and
hard
to
understand
and
hard
to
use
so
they're.
All
because
of
that
assumptions
are
being
made.
That's
that
software
suppliers
are
who
they
say
they
are,
and
those
software
that
are
software,
that's
built
on
top
of
other
software,
is
making
assumptions
about
the
underlying
software.
A
To
reiterate
this
is
difficult
to
understand,
but
it's
really
easy
to
implement
and
use
which
is
actually
one
of
the
problems
we're
solving
here
is
like
it
was
hard
before
so
people
weren't
doing
it.
Six
store
aims
to
make
it
an
easy
user
experience,
so
so
six
store
uses
digital
identity
providers
that
are
already
in
place.
First
of
all,
so
in
doing
so,
we
use
Gmail
as
an
example
or
GitHub
as
an
example,
and
so
it
can
do
that
again
with
both
humans
and
with
processes,
humans
and
robots.
A
So
Zach
can
get
a
six-story
certificate
by
authenticating,
with
Gmail
or
GitHub.
Additionally
GitHub
actions,
a
specific
action
can
get
a
safe
Source
certificate
with
which
identifies
the
workload.
Also
so
two
examples
of
that,
and
then
thickstore
does
this.
The
automation,
I
think
is
important
to
mention,
because
it
is
what
underlies
it
being
easy
to
use.
A
So
an
attestation
makes
a
claim
about
the
digital
artifact,
usually
the
trustworthiness
of
the
origin,
and
then
the
signature
verifies
the
attestation
so
for
an
artifact
to
be
signed,
there's
an
out
of
six
an
out
of
station
and
then
there's
a
Sig
store
certificate
that
signs
the
attestation
and
that's
called
the
the
signature
or
that's
what
it
means
for
an
artifact
to
be
signed.
So
to
get
into
that
a
little
more
one
thing:
that's
really
cool
about
six
door.
A
Is
that
the
the
the
pki,
the
public
key
infrastructure
signature
that
it's
using
is
ephemeral,
so
the
private
public
key
pair
is
made
just
to
sign
the
certificate
and
then
it's
thrown
away.
So
then
you
don't
need
to
manage
the
key.
The
search
don't
need
to
be
renewed
and
they're
actually
only
valid
for
a
very
short
window
and
the
signature
happens
within
that
short
window
and
then,
when
a
verifier
is
verifying
that
something
is
signed.
One
of
the
things
that's
verifying
is
whether
that
signature
happened
in
that
short
window.
A
So
this
there's
a
a
few
different
like
sub
projects
of
sing
store
that
we
talked
about
so
there's
the
full
Co,
which
is
the
CA
and
signature
and
then
the
recore.
That's
adding
the
time
stamp
to
the
signature
of
the
attestation
so
to
Jump
Ahead
a
bit
I
want
to
verify
when
a
verifier
is
verifying
they're,
verifying
both
that
time
stamp
and
that
the
stake
store
certificate
is
signed
by
full
Co
in
particular.
A
It's
not
it's
not
saying
anything
about
the
actual
truth
of
Zach's
statement,
but
it
is
saying
that
if
you
trust
Zach,
you
can
trust
that
Zack
signed
this
attestation
so
and
in
practice
the
way
these
are
consumed.
Is
that
all
three?
If
it's
a
container
image,
then
all
three
artifacts
exist
in
the
registry
and
then
the
image
part
of
the
it's
an
oci
compliant
image
and
in
the
metadata
it
points
to
the
two
other
artifacts.
A
A
You
can
do
that
and
you
can
see
those
additional
the
attestation
in
this
in
the
Sig
store
certificate
and
then
verify
that
it's
a
good
one,
so
so
yeah.
So
the
images
can
be
verified
as
part
of
the
pooling
process.
But
there
are
many
types
of
artifacts
where
all
of
which
can
be
signed.
There
are
very
many
types
of
verifying
tools
and
many
types
of
verifying
strategies,
so
yeah.
This
is
great,
so
the
the
so
then
the
question
is:
why
do
you
trust
Sig
store
like
and
if
you
trust
the
extra?
A
The
big
reason
is
transparency,
so
Allstate
store
actions
are
public,
so
every
time
it
makes
it
signs
something.
It
is
a
public
thing
so
and
this
so
you
can
check
that
the
six
or
certificate
and
time
stamp
are
both
in
the
public
record
and
that
should
be
the
part
of
the
verifying
process.
So
but
you
don't
need
to
worry
that
that
your
proprietary
information
is
in
the
public
record.
It
has
metadata
only
and
then
yeah
the
verifiers
check
the
public
record.
A
We
talked
about
cosine,
that's
a
tool
that
handles
containers,
specifically
container
signing
and
verifying,
and
then
we
opened
this.
We
just
barely
opened
a
can
of
worms
about
policies.
So
with
six
store
you
can
create
policies
that
basically
answers.
The
question
like
who
needs
to
have
said
what,
in
order
so
the
example
we
had
was
there's
a
build
at
a
station
that
says
that
Lewis
says
that
I
built
this
artifact
from
the
source
code
in
this
build
environment,
then
the
policy
is
to
trust
Lewis
to
make
that
a
build
attestation.
A
B
B
B
Regular
deck
of
cards,
you're
gonna
have
to
trust
me
on
that
look
at
this
card.
This
is
your
card.
It
was
the
the
top
card
on
the
deck.
The
seven
of
Hearts
I'm
gonna,
put
it
back
down
on
the
deck.
Put
that
seven
of
Hearts
right
in
the
middle
put
it
back.
All
the
way
in
Lewis
is
going
to
run
cosine
sine
and
then
all
of
a
sudden
boom.
It's
back
on
top.