Introduction to Sigstore: cryptographic signatures made easier
2023-07-04, 14:35–15:10 (Europe/Paris), Amphitheater

The last few years have seen a significant raise in Supply Chain attacks targeting third party software used in larger projects. With the need for developers to attest of the integrity and provenance of their software dependencies, alternatives have emerged to make tracing software back to the source more accessible, without a need for specific knowledge of cryptographic protocols used for generating and verifying artifact signatures.

Project Sigstore (https://www.sigstore.dev/) is a new standard for signing, verifying and protecting software. This talk will provide an introduction to Sigstore, explaining the different components the project is built upon and how developers can use it to sign and verify software artifacts (software packages, container images...) in a secure way. Notably, Sigstore solves the issue of private key storage and management by implementing "keyless" signing, where users can generate ephemeral key pairs and sign an artifact using an identity provider such as GitHub, Microsoft or Google.

See also: Slides

Maya is a Software Engineer in Red Hat's Emerging Technologies security team.
She is passionate about Python, open source and software supply chain security.