Enlightning
Learn CNCF projects with Whitney and her lightboard ⚡️
Signed, Sealed, Delivered, I’m Yours! An Introduction to Sigstore
Signed, Sealed, Delivered, I’m Yours! An Introduction to Sigstore
Signed, Sealed, Delivered, I’m Yours! An Introduction to Sigstore
Mar 23, 2023
In this episode
How do you know that the software you’re running on your laptop or in production is actually the software you think you’re running? Attackers may try to modify source code or compiled binaries/containers as they move about the internet and your network. We can check the authenticity of software and other digital artifacts with digital signatures. But, in practice, almost nobody does!
In this episode, we’ll see why not, and what the Sigstore project is doing to fix that. We’ll explore digital signatures, losing your Yubikey on the street, why the price of security for OSS projects should be zero, how you achieve more security by promising less, and why software signatures need “sunshine laws,” all in the context of the Sigstore project and its constituent components Fulcio, Rekor, and Cosign. You’ll learn how the OSS ecosystem is getting more secure every day and how you can apply the same tools and principles.
\(^-^)/
Guests
Lewis Denham-Parry
Lewis Denham-Parry orchestrates containers by day and hacks them at night He has consulted in many roles, from developing software on bare metal to building the infrastructure somewhere in the cloud.
At Chainguard, he is a Security Engineer helping customers secure their supply chain, from empowering developers to build their containers to offering observability to CISOs.
Community is key to Lewis and he has presented talks and workshops at numerous international conferences from KubeCon, SANS, BSides, to local meetups in Wales.
When not pretending to be an adult, he spends his time with family, playing sports, reading books, and eating copious amounts of food. Lewis can be found on the internet thanks to his surname.
Zack Newman
Zack is passionate about developer tooling, supply chain security, and applied cryptography. After 4 years as a software engineer and tech lead on Google Cloud SDK, he moved to MIT CSAIL to research authenticated data structures and Tor network performance. Now, as a research scientist at Chainguard, he works with the TUF and Sigstore communities to make open source more secure.
Hosts
Whitney Lee
Whitney is a lovable goofball who enjoys understanding and using tools in the cloud native landscape. Creative and driven, Whitney recently pivoted from an art-related career to one in tech. She is a CNCF Ambassador and active in the open source community. You can catch her lightboard streaming show ⚡️ Enlightning on Tanzu.TV. And not only does she rock at tech - she literally has toured playing in the band Mutual Benefit on keyboards and vocals.