►
From YouTube: What is sigstore? The future of supply chain security?
Description
Curious about cloud-native supply chain security? Heard of sigstore but not sure what it means for you? Check out this video where I lay bare the technologies and how they work within Sigstore
Links
- https://www.sigstore.dev/
- https://github.com/sigstore/cosign
Timecodes:
0:00 Introduction
0:22 What is supply chain security anyways?
7:38 How does it work?
11:18 Demo of cosign
A
What
is
project
six
store?
That's
the
question.
Everyone's
been
asking
supply
chain
security,
kubernetes
Cloud
native
all
of
these
things,
and
how
do
they
coalesce
together
today,
I'm
going
to
run
you
through
the
project?
Talk
to
you
about
some
of
the
constituent
parts
and
hopefully
you'll
be
that
much
closer
to
understanding
what
this
all
means
for
the
future
of
security.
A
Hi
there
welcome
before
we
get
started
on
what
is
sex
store,
I
wanted
to
take
a
step
back
and
look
at
what
is
supply
chain
security.
Full,
stop,
I!
Think
a
lot
of
folks
have
some
questions
around
it.
It's
unclear
exactly
where
it
begins
and
where
it
ends
and
also
what
are
the
attack.
Vectors
am
I
affected
and
is
the
whole
thing
fraught
with
Danger.
Let's
just
look
into
this
as
an
illustration
and
just
make
sure
that
we
understand
what
some
of
the
key
concepts
are
here.
A
I
think
one
of
the
reasons
it's
confusing
is
because
by
calling
it
supply
chain,
it
sounds
like
food
chain
and
food
chain.
Very
much
has
a
start
and
end
right.
You
have
the
top
of
the
food
chain.
The
bottom.
This
kind
of
chain
is
circular
right,
it's
more
like
an
aura
Boris,
it's
more
like
a
virtuous
cycle,
because
you'll
have
developers
of
code
consumers
of
code,
but
those
consumers
of
code
also
become
developers
of
code
right.
A
A
In
the
focus
of
this
video
I'm
going
to
be
pretty
simple
in
my
examples,
but
where
supply
chain
security
historically
has
been
very,
very
easy
to
exploit
between
the
joins
right.
So
let's
have
a
little
drawing
session
here,
I'm
going
to
show
you
what
I
think
are
some
of
the
really
easy
to
exploit
weak
points.
So
between
the
developer
and
the
distributor,
this
could
be
a
Helm
chart.
It
could
be
an
oci
image.
It
could
be
a
binary
right,
there's
a
weakness
here,
because
you
are
pushing
your
package,
your
beloved
code,
to
somebody
else's
Hub.
A
That
Hub
could
be
trusted
in
the
community,
but
if
that
Hub
has
been
falsely
represented
and
you're
pushing
your
code
somewhere
else,
somebody
else
now
has
your
code.
That's
one
entry
point.
Another
way
is
with
open
source
projects,
they
can
pull
your
code
right
and
they
can
build
it,
and
they
can
say
that
they
are
you.
They
can
make
changes
that
aren't
yours.
They
can
effectively
Fork
your
Repository
and
they
can
start
serving
your
software
with
malicious
intent
and
remember.
A
Software
supply
chain
doesn't
always
imply
that
the
other
side
of
that
a
bad
Act
is
by
intent,
provenance,
isn't
purely
to
sort
out
Bad
actors.
It's
also
to
make
sure
that,
from
a
government
from
a
legal
point
of
view,
you
have
the
provenance
who
produce
something.
Anyway.
Back
to
the
example,
you
have
this
first
weak,
join
when
you're
packaging
and
distributing
software.
You
have
the
ability
for
folks
either
to
falsely,
represent
you
or
to
host
it
in
a
manner
that
might
be
less
than
legitimate.
A
Equally,
as
a
user
I
mentioned
that
npm
example,
it's
very
easy
for
one
of
these
repositories
to
unbeknowingly
pull
a
package
that
isn't
the
right
one.
There
are
some
tips
and
tricks,
I,
think
that
have
come
out
over
the
past
few
years,
for
Bad
actors
to
inject
packages
into
certain
systems
and
for
users
to
polos
and
so
again.
The
second
big
issue
here
is
from
the
consumption
of
artifacts
in
that
supply
chain.
So
you
can
see
that
just
these
two
joins.
They
leave
a
lot
of
room
open
for
issues.
A
Let's
have
a
real
world
scenario
here.
Imagine
that
I
am
engineering
the
next
greatest
goal
line
package,
as
I
mentioned
now
that
package
I'm
Distributing
freely
on
a
software
Hub
right,
think
Debian
universe
or
something
similar
like
that,
and
somebody
else
is
pulling
it
in
and
they
want
to
be
able
to
work
with
it
and
they
are
going
to
build
their
business
off
of
that.
However,
somebody
in
my
team
decides
that
they're
going
to
merge
a
PRM
with
their
admin
rights
that
puts
a
Bitcoin
miner
or
some
other
utility
inside
of
that
software.
A
Now
the
problem
here
is
that
that
Universe
repository
that
I've
had
set
up
for
my
team.
They
think
that
everything's
all
good.
They
think
that,
because
I'm
a
trusted
supplier
that
I
can
be
trusted
to
push
things
out
on
my
own,
and
so
my
end,
users
consume
the
latest
update
and
they
suddenly
have
Bitcoin
miners
in
their
software
and
you
think
to
yourself.
Well,
how
could
we
have
worked
in
a
world
or
a
way
that
we
could
have
stopped
this?
Of
course,
there
are
always
going
to
be
PR.
A
Gates
there'll
always
be
automated
and
manual
processes
to
try
and
stop
this.
But
fundamentally
we
need
something
more.
We
need
the
ability
to
say
that
the
only
kind
of
artifacts
that
we
are
going
to
be
able
to
deploy
out
will
be
those
that
are
signed
by
the
authority
of
the
project
rather
than
an
individual,
committing
that
Shar
and
also
now
remember.
A
This
is
another
point
about
supply
chain
security
is
that
it
gives
you
incredible
forensic
information,
so
you
can
also
look
back
to
find
out
who
inserted
that
particular
Shah
well
and
that
particular
digest
will
tell
you
going
all
the
way
back
in
that
provenance
step.
So
there
are
several
useful
use
cases
there.
Now
it's
important
to
understand
that
part
of
the
challenge
here,
isn't
just
that
you're
trying
to
block
this
behavior
and
that
you're
trying
to
build
Gates
and
build
fortifications.
A
It
is
also
the
fact
that
you're
trying
to
build
a
bunch
of
different
ways
of
dealing
with
this.
There
are
multiple
different
types
of
standard
out
there
in
the
wild,
and
that
is
really
where
we
see
the
projects
like
six
store
are
starting
to
make
a
huge
impact
on
pulling
a
Consortium
of
different
vendors
together
and
saying
hey.
How
can
we
tackle
this
all
together
and
the
answer
to
that
question
is
six
door.
It
is
hosted
as
an
incubating
project
within
the
cncf.
A
What's
really
great
about
this
is
that
vendors
and
end
users
come
come
together
and
build
in
public.
In
fact,
one
of
the
key
goals
on
the
website
is
that
it's
going
to
be
transparent.
It's
going
to
be
driven
by
the
community
when
I,
look
at
six
store.
I
cannot
help
but
draw
a
parallel
to
Let's
encrypt
right.
Several
different
Technologies
under
a
standard
that
effectively
enables
you
to
serve
out
https
certificates,
auto
rotation
not
having
to
think
too
much
of
it
same
with
key
management.
Imagine
if
that
was
just
a
one-liner.
A
You
dropped
in
eventually,
and
suddenly
your
supply
chain
is
that
much
more
secure.
So
the
goals
are
really
Noble
and
it
couldn't
have
come
at
a
better
time,
because
the
number
of
attacks
per
year
on
supply
chain
security
are
going
up
and
up
and
up
and
so
having
a
community
effort
that
is
spearheading.
This
is
extremely
timing.
A
You
might
have
seen
that
the
kubernetes
project
has
already
adopted
sex
store
and
that's
a
huge
Landmark
decision
that
really
signals
that
a
lot
of
cncs
projects
are
going
to
start
to
take
on
board
this
idea
of
supply
chain
security
really
seriously
and
that
sends
out
wider
waves
into
the
community
as
well.
I
can
already
hear
you
saying:
let's
get
on
and
understand
how
it
actually
all
works.
A
Well,
there
are
three
primary
components
that
I'm
going
to
talk
to
you
about
today
that
make
up
six
store,
so
the
first
one
is
cosine
cosine
you
might
have
seen
in
demonstrations.
Cosine
is
effective.
What
you
can
take
a
Docker
image
with,
and
you
can
sign
it
and
you
can
push
it
up
somewhere
job
done.
However,
we
need
to
also
talk
about
falsio,
which
is
here
on
this
illustration.
A
Falstio
is
a
certificate
signing
Authority
and
it's
extremely
important,
because
this
is
the
next
generation
of
provenance
right
and
I
mentioned
oidc
workflows,
I'm
going
to
get
into
that
in
just
a
moment
and
then
the
last
part
here
is
record
and
record
is
really.
How
do
you
then
store
and
access
the
attestations
for
all
this
stuff?
So
let's
go
through
piece
by
piece.
A
Also
remember,
my
pronunciation
of
this
I
think
is
pretty
bad,
but
unless
someone
could
tell
me
otherwise
I'm
going
to
keep
going
as
is
so
fundamentally,
the
goal
here
is
a
free
short-lived,
signed
certificates
right
and
a
transparency
log
that's
available
for
attestation,
and
all
of
this
can
be
automated.
It's
auditable,
it's
Community
operated
and
it
just
works
right.
There
shouldn't
be
any
specialist
knowledge
that
is
required
to
get
up
and
running.
So
what's
cosine
well
cosine,
when
you
run
this,
you
effectively
are
generating
a
key
pair.
A
A
What
raycor
does
that's
really
interesting
is
that
it
inserts
a
record
into
its
transparency
log
with
those
signatures
that
it's
verified
right
and
so
the
artifacts
themselves,
the
docker
images
or
whatever
it
might
be,
don't
go
into
record.
They
just
go
into
its
transparency
log
with
its
digest
information
and
its
attestation,
and
it's
a
rest
API,
so
you
could
even
host
it
yourself
and
have
your
own
centralized
Ray
core
solution.
Now
this
is
possibly
one
of
the
challenges
that
people
might
pick
up
on.
Is
that
okay?
Well,
it's
centralization!
A
A
A
So
the
code
signings
search
with
the
keyholders
identity,
will
get
squashed
together
and
it
creates
effectively
this
temporary
token
that
you
can
work
with
I'm
not
going
to
go
too
much
into
that
now,
because,
firstly,
I'm
not
an
expert
at
it,
but
secondarily
to
that,
you
can
see
that
these
three
tools
together
form
an
ecosystem
and
I,
don't
want
to
misrepresent
them.
What
I
do
want
to
tell
you,
though,
is
that
getting
up
and
running
is
very
similar
to
using
let's
encrypt
there's
a
little
bit.
A
You
do
on
your
side,
and
most
of
it
is
done
by
the
community
hosting
the
technology
on
their
side.
I
want
to
show
you
how
cosine
works,
because
that's
one
of
the
most
critical
pieces
that
you'll
be
interacting
with
inside
of
the
project,
six
store
ecosystem.
So
on
my
right
here,
I've
got
my
terminal.
I
have
a
very
simple
Docker
file
that
just
does
the
hello
world
Docker
image
that
I
think
we've
all
run
before
and
I'm
going
to
push
this
image
up
to
Docker
Hub.
A
Okay,
there
we
go
so
at
this
point.
I've
also
got
cosine
installed,
but
I
haven't
done
anything
with
it.
The
first
thing
I
need
to
do
is
to
generate
a
key
pair
in
this
particular
example.
I
am
going
to
generate
the
local
key
pair
with
cosine
right,
so
I'm
not
going
to
do
anything
else,
I'm
just
going
to
generate
a
local
keypad
to
give
you
some
of
the
fundamentals.
A
First
thing
that
it
asks
for
is
a
private
passphrase
for
the
key
I'm
going
to
ignore
that
for
now,
and
the
outcome
of
that
is
that
I
have
a
public
key
and
a
private
key,
and
these
can
situate
the
parts
that
are
required
to
sign
my
Docker
image.
The
next
thing
I
want
to
do
is
to
look
at
the
cosine
sine
command.
A
A
You
can
see
what's
happening.
Is
that
because
Docker
Hub
as
a
registry
is
compatible,
we
have
hello,
six
store
signature
being
pushed
so
that
now
lives
up
in
the
cloud
somewhere
right.
I've
got
this
idea
that
that's
been
signed
and
there's
a
few
other
things
that
are
happening
behind
the
scenes
here.
A
But
what
I
want
to
show
you
is
that
we
can
now
verify
that.
So,
if
I
go
to
cosine
verify
again,
you'll
see
some
examples
on
how
to
use
this.
You
can
provide
your
image
name,
and
this
doesn't
have
to
be
an
image
that
you've
built
mind
you,
but
I
will
check
it
against
my
public
key.
This
could
be
somebody
else's
public
key
that
they've
sent
me
over
slack.
Saying:
hey,
look.
I
really
did
build
that
thing
just
so
you
know
so
anyway.
A
Key
pair
there's
also
record
which
I
haven't
covered
yet,
but
that
lets
you
search
for
artifacts
for
attestations
and
that's
really
part
of
that
forensic
analysis
That's
so
exciting
that
projects
like
six
store
are
opening
up
in
a
big
way,
falsio
as
well
Works
behind
the
scenes
as
part
of
what
I
mentioned
a
moment
ago
and
brings
all
of
this
together.
So
you
have
that
CA
that's
doing
issuance
now.
It's
also
really
important
to
remember
that
all
these
components
are
completely
open
source
right.
You
can
host
this.
A
Just
like
you
could
host
your
own
pki
and
what's
exciting
to
me
in
particular
around
this.
Is
that
bringing
these
tools
into
the
command
line
in
a
simple
way
and
solving
real
problems
for
specifically,
and
perhaps
most
importantly,
container
developers,
package
developers
and
everyone
in
the
open
source
Community
who
wants
to
contribute
something
in
a
positive
way,
is
brilliant
because
we're
starting
to
build
this
tooling
into
our
supply
chain.
A
Hence
the
name
and
so
you're
going
to
start
to
see
a
prevalence
of
more
of
this
tooling
and
cosine
in
particular,
in
the
CI
CD,
with
verification
of
images
and
again
companies
may
may
want
to
have
their
own
transparency
logs
going
forwards
so
that
they
can
also
keep
a
ledger
on.
What's
going
on,
I
really
hope
you've
enjoyed
this
video
I
really
enjoyed
making,
and
this
is
a
particular
subject
where
I'm
learning
a
ton
at
the
same
time.
So
please
do
like
and
subscribe
and
leave
me
some
comments.
Let
me
know
there's
anything.