►
Description
Don’t miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe 2023 in Amsterdam, The Netherlands from April 17-21. Learn more at https://kubecon.io. The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.
Life of a Sigstore Signature - Jed Salazar & Zack Newman, Chainguard
Recently, Kubernetes SIG-release announced that the official Kubernetes container images have adopted Sigstore code signing to protect the supply chain of millions of downstream users. Sigstore, an open-source project aiming to be the LetsEncrypt of code signing, allows Kubernetes users to validate that their images came from the simple, free, and trusted official supply chain. But how does Sigstore actually work? What happens behind the scenes when I sign an image? Why should you even trust it? This talk follows the life of a Sigstore signature for your container image. On this journey, you’ll encounter keyless code signing, certificate authorities, and transparency logs. You’ll also configure an admission controller to create a signing security policy for your clusters.Our request hits every Sigstore component and you’ll stop to learn how they work, from the cryptographic and architectural levels, and discover how Sigstore mitigates supply chain attacks.
A
So
I
don't
think
we
need
to
give
much
of
an
introduction
to
what
is
Sig
store
here,
but
I
think
this
talk
is
really.
You
know,
principled
around
the
idea
that
maybe
six
door
is
new
to
you.
So
for
those
of
you
in
the
room
who
are
probably
already
you
know,
familiar
or
invested
in
the
Sig
store,
this
you
know
is
probably
was
probably
your
journey
at
some
point,
but
I
think
we're
targeting.
A
So
this
is
really
kind
of
like
preface
by
my
personal
experience
when
you
know
early
on
in
my
it
career
I,
you
know
was
learning
networking
and
I.
You
know
kind
of
read
about
the
you
know,
seven
layer,
burrito
or
the
OSI
stack
or
whatever,
and
you
know
tried
to
really
grok
what
was
going
on
by
looking
at
layers
and
things
like
that.
A
So
the
way
that
we
did
this
is
we
basically,
you
know
Zach
added
a
few
lines
of
code
and
you
know
created
a
basically
a
fork
of
cosine
that,
instead
of
actually
having
these
things,
just
exist
in
in
memory
when
you
run,
you
know
a
cosine
signature
to
actually
dump
them
out
to
disk
right.
So
like
we
actually
have
these
artifacts
around,
we
can
inspect
them.
A
A
So
this
is,
you
know.
Basically,
you
know
what
we
did
and
in
this
case
we
actually
just
signed
this.
This
blob
of
you
know
hello,
sigster
con
and
you
know.
Fortunately,
we
don't
need
this
cosine
experimental
flag
anymore,
due
to
the
cosine
being
GA,
which
is
great,
but
you
know
again.
The
key
piece
here
is
that
you
know
when
you
run
through
these
steps
that
are
that
are
recreatable.
A
A
A
A
You
can
set
up
policies
around
it.
You
can,
you
know,
trust
certain
identity
providers
and
things
like
that.
But
at
the
end
of
the
day
that
oidc
is
just
going
to
come
back
with.
You
know
a
jot
that
you
know
is
basically
going
to
help
us
take
that
identity
and
actually
do
something
with
it.
So
when
we
get
back
that
oidc
token,
what
we
get
back
is
basically
a
you
know:
base64
encoded,
you
know
Json
document,
and
that
includes
a
header,
a
payload
and
a
signature,
we'll
kind
of
walk
through
these.
A
So
you
know,
we've
talked
to
the
identity
provider.
We've
you
know
done
the
sign
in
with
Google
flow,
we've
convinced
them
that
you
know
we
actually
own
our
identity
and
when
we
get
that
job
back.
When
we
look
at
the
header
there's
a
couple
things
going
on
right
and
the
question
that
we're
asking
ourselves
here
is:
like
you
know:
how
should
the
verifier,
which
in
this
case
is
fulsio
the
certificate
Authority
actually
check
the
jot
that
actually
gets
assigned
to
us
or
token?
A
So,
if
we
take
a
look
at
the
header,
we
can
see
that
first
off.
It
needs
to
know
that
the
algorithm
to
verify
this
is
you
know,
RSA
256,
there's
also
a
key
ID,
which
is
helpful
for
us
to
kind
of
locate
which
public
key
we're
actually
going
to
be
verifying
against.
This
is
in
case,
like
you
know,
Google
or
whatever
my
identity
provider
is
decides
to
actually
rotate.
A
Here
is
this
issuer
attribute,
and
this
basically
tells
us
that
you
know
the
issuer
is
oauth
2.64.dev,
but
in
this
case
it's
actually
referring
to
to
Dex
right
I
just
mentioned
that
you're
using
the
Google
kind
of
sign
in
flow
as
one
example,
but
we
actually
use
Dex
for
reasons-
and
you
know
we
can
discuss
those
if
you're
interested
definitely
feel
free
to
ask
questions.
But
beyond
that
we
have
a
couple
of
really
interesting
attributes
about
jobs.
A
One
is
this
audience
component,
and
this
defines
that
you
know
the
audience
is
Sig
store,
so
when
we,
when
we
give
you
this
jaw,
that
means
that
you
can't
reuse
this
to
log
back
into
Google
or
take
your
Google
credential
and
go
authenticate
to
any
old
service
right
like
the
idea
is
that
we
we
scope
that
audience
down
to
only
be
valid
for
Sig
store,
which
is
an
important
certain
security
attribute
there.
There
do
be
dragons
here
right,
like
there's
some
components
with
certain.
A
You
know,
implementations
of
job
that
you
know
might
not
parse
this
correctly,
but
there
are
additional
protections
here
right.
One
is
that
we
have
this
expiration
date
and
if
we
actually
kind
of
zoom
into
this,
we
can
see
that
this
jot
is
only
valid
for
one
minute.
So
the
risk
of
this
leaking-
and
you
know,
causing
a
very
bad
day
is,
is
you
know
diminished
by
that
that
short
time
of
validity?
A
You
know
those
values
and
we
just
didn't
really
want
it
to
leak
so
cool.
So
so
far,
we've
talked
to
the
oidc
provider,
we've
validated,
who
we
are
so
we
you
know.
Google
has
told
us
that
you
know
this
is
Zach.
We
got
back
a
jot
and
that
jot,
you
know,
was
basically
scoped
down
so
that
we
could
only
do
six
door
things
with
it.
Next,
what
we're
going
to
do
is
we're
actually
going
to
generate
a
Certificate
request
right.
A
B
B
So
this
is
a
long
document
and
what
we're
doing
is
we're
printing
it
out
using
a
tool
called
Step,
which
is
a
very
handy
way
to
look
at
a
certificate,
and
so
we're
just
going
to
run
through
the
highlights
so
very
similar
in
many
ways
to
the
job
that
we
saw
before
the
issuer
here
is
sigstore.dev
and
we're
actually
coming
through
Sig
store
intermediate
node
in
in
the
middle
like
the
jot.
If
you
look
at
the
validity,
it's
only
valid
for
a
very
short
period
of
time.
B
This
is
one
of
the
key
security
guarantees
we
give
you
with
Sig
store
is
that
the
risk
of
a
private
key
actually
leaking
is
is
mitigated
because
the
certificates
that
we're
issuing
are
only
around
for
for
10
minutes.
So
after
10
minutes,
such
a
key
is
going
to
be
pretty
useless
and
then
there's
there's
usual
stuff.
That's
in
every
certificate.
The
public
key
and
so
on.
B
If
we
go
to
the
next
page,
you
can
see
you
can
see
some
fun
stuff.
So
there's
my
email
again,
so
Sig
store
basically
took
my
email
from
the
jot
and
it
stuck
it
in
as
the
subject
alternative
name,
which
is
sort
of
for
convoluted
reasons.
The
way
you
specify
the
name
of
the
party
that
has
been
granted
the
certificate.
We
also
have
all
these
fun
numbers
right
below
it.
Those
are
an
x509
extension
registered
to
the
Sig
store
project.
B
That
indicates
what
the
identity
provider
used
as
the
source
of
the
identity
that
wanted
that
wound
up
in
the
sand
is
so
in
in
when
you're
going
to
verify
this
very
typically,
you
want
to
know
who's
signing,
but
also
who
says
that
that
person
controls
this
this
public
key,
so
zjn
at
chain
guard.dev
as
a
as
a
tested
to
by
accounts.google.com,
much
much
more
convincing
than
zjan
chain
guard.dev
as
a
tested
tube
by
Neopets
the.
So
the
next
thing
we're
gonna
we're
gonna
highlight
is
the
SCT.
B
This
stands
for
assigned
certificate,
timestamp
again
we're
going
to
gloss
over
many
of
the
details
of
certificate.
Transparency
here,
but
this
is
basically
a
receipt
from
the
certificate
transparency
log
that
says
I
the
certificate
transparency
log
have
seen
this
corresponding
cert
and
it's
gotten
a
company
in
signature
and
then,
finally,
at
the
very
end
of
the
certificate,
you're
going
to
see
a
signature-
and
this
is
actually
a
signature
from
that
full
Co
intermediate
node.
B
Great.
So
now
we
have
our
certificate:
let's
go
ahead
and
sign
something,
and
typically
what
you're
doing
in
six
door:
you're
not
just
signing
the
the
naked
bytes
of
the
image
or
the.
In
our
case,
the
data.txt
file,
you
sort
of
have
to
format
that
in
a
little
bit
of
an
envelope-
and
that's
that's
going
in
the
API-
something
that's
referred
to
as
a
proposed
entry.
B
So
there
are
a
bunch
of
different
types
here,
we're
looking
at
the
default
type
for
assigning
an
artifact
in
in
cosine,
which
is
called
a
hashed
record.
So
a
lot
of
base64
nonsense
that
I
don't
expect
you
to
be
able
to
read
but
I
I'm
illustrating
for
you
what
what
these
things
are.
So
this
envelope
is
going
to
mention
the
hash
of
our
artifacts.
So
if
you
see
that
that
value
right
there
at
the
top,
if
you
run
shot
256
some
on
that
data.txt
file,
we
created
earlier
that
said,
hello,
six
doorcon!
B
That's
what
you're
going
to
get!
Finally,
you're
going
to
get
a
signature
over
that
data,
the
data
in
the
hash
that
validates
against
the
public
key
that
we
just
generated,
and
that
goes
in
our
x509
certificate,
so
remember
the
x509
cert
had
a
had
a
you
know,
public
key
in
there.
That's
that
if
you
take
that
public
key,
you
can
use
that
to
validate
the
signature
over
that
data
and
then
finally,
we
actually
stick
that
entire
certificate
in
here,
under
the
slightly
misleadingly
named
public
key
dot
content
field.
B
This
is
actually
a
base64
encoded
version
of
that
certificate
that
we
just
saw
so
then
record
is
going
to
take
that
proposed
entry.
It's
going
to
make
sure
that
the
signature
checks
out
and
then
it's
going
to
return
to
use
something
called
assigned
entry
time
stamp,
and
so
this
this
is,
we
started
in
log
entry.json.
B
B
The
astute
Observer
might
note
that
there
are
like
triple
or
quadruple
base
64
encoded
things
in
there
by
this
point.
That's
you
know,
that's
just
how
life
goes.
Sometimes,
there's
also
an
integrated
time.
So
remember
we
we
made
a
big
deal
earlier
about
how
the
public
key
was
only
going
to
be
valid
for
10
minutes.
Does
that
mean
you
can
no
longer
validate
an
artifact
after
10
minutes?
That
would
be
very,
very
annoying
and
make
this
a
pretty
useful
system.
So
no,
you
actually
can
validate
things
after
after
10
minutes
after
the
certificate
has
expired.
B
What
you
do
is
you
check
that
the
signature
was
made
during
the
lifetime
of
the
certificate,
and
so
that's
this
integrated
time
here
right
now
record
is
typically
the
source
of
this
time.
There's
some
some
fun
ongoing
work
to
allow
you
to
plug
in
a
timestamp
Authority
following
a
protocol
like
RFC,
3161
or
rough
time,
and
use
that
instead
or
in
addition,
yeah
and
then
finally
we're
going
to
look
at
this
verification
stuff.
This
is
information
that
you
can
use
to
cryptographically
check
that
that
log
entry
that
we
we
submitted
actually
wound
up.
B
Inside
of
recore,
and
unfortunately,
don't
have
time
to
to
go
into
what
a
Merkle
tree
is
how
a
transparency
log
works,
but
this
is
sufficient,
basically
cryptographic
information
that
you
can
check.
Okay,
all
this
stuff
wound
up
inside
of
record
and
then
finally,
we
have
the
signed
entry
timestamp,
which
for
the
for
the
lazy
or
for
the
offline.
If
you
don't
want
to
go
and
do
that
check
all
the
way
back
up
to
recore,
you
can
just
take
recourse
word
for
it.
B
B
B
You
know
it's
just
about
getting
sort
of
the
data
that
certificate
that
signed
entry
time
stamp
and
then
the
signature
over
the
data
getting
all
of
that.
To
the
end
user,
who's
going
to
verify
it
and
there's
some
some
ongoing
work
to
turn
those
four
things
into
one
thing:
we're
going
to
call
a
bundle
shout
out
to
Frederick
who's
been
working
really
hard
on
a
on
a
specification
for
that
and.
A
B
A
B
Yeah
yeah
and
so
for
those
who
don't
have
the
luxury
if
you're
working
on
the
integration
with
a
package
manager,
I
see
a
couple
of
folks
in
the
room
who
are
doing
that
right
now,
you're
going
to
have
to
unfortunately
take
care
of
this
step
forward
yourself,
but
all
that
is
is
pushing
bits
around.
There's
no
fancy
cryptography.
The
fancy
cryptography
happens
before
and
at
the
end,
where,
where
folks
are
verifying,
speaking
of
this
is
kind
of
the
reverse
of
that
process.
B
This
is
what
a
verifier
has
to
check
and
it
seems
kind
of
complicated
right.
Six
steps
is
a
large
number
of
steps,
but
but
you'll
actually
see
these
correspond
pretty
closely
to
the
steps
we
took
when
creating
all
of
this
so
you're
going
to
check
that
the
signature
is
from
who
you
think
it's
from
the
way
you
do,
that
is
by
looking
at
the
certificate
check
the
subject
and
the
issuer
of
the
certificate.
B
So
if
you
trust
universally
artifacts
for
me-
which
maybe
you
should
maybe
you
shouldn't-
but
but
you
can,
you
can
sort
of
check
for
a
subject-
alt
name
that
says
dj.changard.dev
in
an
issue
or
accounts.google.com
you're,
going
to
check
that
that
certificate
is
valid,
that
it
validates
against
falsio's
public
key
that
fulsio
public
key
again.
You'll
have
gotten
via
tough,
so
refer
back
to
the
to
the
tough
talk
earlier
in
the
day,
you're
going
to
check
that
the
signature
on
the
log
entry.
B
So
that's
where
you
get
that
time
stamp
from
is
valid
for
the
sorry,
the
signature
in
the
log
entry.
So
that's
the
signature
on
the
actual
data
itself
is
valid
for
the
public
key
in
the
certificate
you're
going
to
check
that
the
log
entry
time
stamp
is
signed
by
recore
you're,
going
to
check
that
the
timestamp
was
during
the
window
in
which
the
certificate
was
valid.
And
finally,
this
is
actually
really
important
and
really
easy
thing
to
forget
to
do.
B
You're
going
to
check
that
the
data
that
was
signed
is
actually
the
data
that
you
care
about.
So
it
doesn't.
Do
me
any
good
to
check
all
of
these
things
and
then
do
not
say
oh
by
the
way.
You
know
I
I
validated
this
over
here
and
I'm,
going
to
use
this
totally
unvalidated
blob
and
run
that
you've
got
to
actually
match
up
the
thing
you're
running
or
the
thing
you're
downloading
to
the
to
the
log
entry
yeah.
B
So
at
this
point,
hopefully
this
has
demystified
and
I
use
that
word
very
deliberately
a
little
bit
about
how
sex,
storing
cosine
work.
It's
not
magic
right.
All,
that's
just
bits
and
bytes
and
I,
see
see
Bob
in
the
audience
here.
I
would
I
would
encourage
you
if
you
want
to
learn
more
there's
going
to
be
a
blog
post
version
of
this,
which
is
cool.
B
If
you
want
to
go
even
deeper,
there
is
a
link
which
I
know
you
cannot
click,
but
if
you
just
Google
it
it'll
it'll
pop
up
Sig
store
the
bashway,
which
basically
takes
you
through
this
very
like
bits
and
bytes
approach
to
how
Sig
store
actually
works,
but
totally
on
the
command
line.
You
compose
all
these
Json
documents
yourself
and
like
any
good
cryptography
security
project.
B
If
you
screw
up,
it
just
fails
and
it
doesn't
tell
you
why
it
failed,
but
but
it's
a
really
instructive
exercise,
I
think
to
go
to
through
sort
of
the
next
level
of
of
take
it
apart
to
understand
how
it
works.
Yeah
we
hand
waved
over
a
bunch
today
happy
to
take
questions
offline
about
sort
of
decks
and
why
there's
a
transparency
log
and
how
that
works
and
so
on,
but
hopefully
this
this
sort
of
took
you
from
having
this
abstract
understanding
of
how
this
all
all
works.
B
A
B
Yeah
yeah
yeah,
so
the
10
minute
window
is
going
to
start
when
fulsio
creates
that
x509
insert
and
it's
going
to
go
for
the
next
10
minutes.
So
you
better
get
that
proposed
entry
in
the
next
step
to
recore
within
those
10
minutes,
otherwise
that
time
stamp
is
going
to
be
outside
of
that
window.
Fortunately,
the
typical
time
that
this
takes
is
like
a
couple
of
seconds,
so
so
10
minutes
is
a
pretty
big
grace
period.
A
B
A
B
For
ecore
right
now
record
is
actually
quite
Speedy
due
to
a
bunch
of
things,
including
the
the
sharding
work,
which
is
which
has
sort
of
sped
things
up
quite
a
bit,
and
so
we're
not
worried
about
that.
But
you
know
in
a
the
long
long
term
we
might
worry
about
okay,
maybe
recore
is
eventually
consistent.
It
takes
a
while
for
things
to
get
integrated,
so
we
want
that
time
stamp
to
happen.
You
know
we
we
think
10
minutes
is
kind
of
a
good
middle
ground
between
you
know.
B
B
Yeah
yeah
yeah.
That's
that's
a
really
really
good
question.
The
the
sorry
oh
yeah
Greg.
That's
a
really
good
question
which
I'm
going
to
repeat
right
now.
The
question
was:
when
you're
verifying?
How
do
you
know
what
the
subject
that
you're
supposed
to
be
checking
is,
and
in
particular,
how
do
you
know
what
the
issuer
is
for
that
subject?
B
So
this
is
the
sort
of
really
unhelpful
answer
I
could
give.
You
is
that
this
is
out
of
scope
for
Sig
store
and
it's
a
really
unhelpful
answer
and
that's
that's
sort
of
not
where
we
want
to
go
in
the
long
term,
but
but
basically
sigster
handles
the
mapping
the
identity
to
the
artifact
leg
of
things.
We
would
strongly
encourage
you
to
look
at
something
like
tough
for
doing
the
delegation
for
that
for
that
artifact.
So,
in.
A
B
Closed
ecosystem
in
your
own,
like
in
an
organization,
that's
your
own
company,
you
might
have
one
party
that's
in
charge,
you
know
one
service
or
one
individual
or
one
team,
that's
in
charge
of
signing
all
the
artifacts.
In
that
case,
you
can
sort
of
hard
code
at
the
verification
site.
The
a
verification
policy
that
says
every
artifact
I
run
must
be
signed
by
a
security
team
at
mycompany.com,
I'll
I'll
pick
on
pick
on
William,
because
I've
seen
the
audience
here.
B
X
maintainer
Y
is
trusted
to
sign
that
and
the
reason
I've
I've
been
sort
of
so
pedantic
about
also
always
putting
the
issuer
there
is
that
I
think
you
should
consider
an
identity
to
be
a
tuple
of
sort
of
you
know
an
email
or
a
username,
comma,
the
issuer
of
that
identity,
so
zjan
chain
guard.dev,
as
attested
to
by
accounts,
as
opposed
to
yeah
or
Neopets.
If,
if
that's,
who
you
really
really
want
to
base
base
the
root
of
Trust?