SigstoreCon North America 2022

Sigstore’s ecosystem enables signing, verifying, and protecting software artifacts in a new way. By doing so, we can confirm that the software is what it claims to be. As part of the rising concerns of software supply chain attacks, we decided to adopt the Sigstore tooling, integrate it as part of our environment to increase the integrity level of our software artifacts, and share our insights of the process. In implementing Sigstore's ecosystem, we encountered several challenges that may be common to other organizations - our artifacts run on cloud-native, self-hosted, and even on-premise environments, and we use several build services, including a self-hosted K8s cluster. During the talk, we’ll explore the following concepts: - The trade-off for self-hosting rekor/fulcio instances against using public ones’. - Implementing “keyless” commit signatures with the gitsign utility instead of standard GPG. - Developing methodology and tools to verify commit signatures. - Using spiffe/spire to give our ephemeral build workloads identities. - Utilizing OIDC tokens for keyless signatures on artifacts in various build environments. - Developing methodology and tools to verify artifacts.