SigstoreCon North America 2022

 Autodesk has a long history of producing software that commercial entities use to build and make the world around us. Trust in our software is critical to our success, and as we move to government sales, that has never been more true. Additionally, Autodesk’s software is now more than ever a hybrid of desktop and cloud based solutions. We must build and deploy software to both end user machines and public clouds. Existing software supply chain solutions must be augmented to meet these new system models and secure them wherever they live. In this talk Jesse Sanford will review how Autodesk is adapting it’s existing CI and CD tooling with the Sigstore project to meet current and future compliance needs. Jesse will speak in detail about the container provenance tracking solution built on Cosign with InToto vuln scanning attestations. A demo of our deployment governance solution will be shown which will block out of policy images from being allowed through the CD pipelines. If there is time, I will go into our future plans to implement a machine Identity solution with SPIRE for keyless signing with Cosign, Fulcio and Rekor.