Tag: key management

  • Implementing Containers’ Secure Supply Chain with Sigstore Part 3 – Ephemeral Keys and Artifact Promotion

    Implementing Containers’ Secure Supply Chain with Sigstore Part 3 – Ephemeral Keys and Artifact Promotion

    In the last post of the series about Sigstore, I will look at the most exciting part of the implementation – ephemeral keys, or what the Sigstore team calls keyless signing. The post will go over the second and third scenarios I outlined in Implementing Containers’ Secure Supply Chain with Sigstore Part 1 – Signing…

    , ,
    , , , ,
  • Implementing Containers’ Secure Supply Chain with Sigstore Part 2 – The Magic Behind

    Implementing Containers’ Secure Supply Chain with Sigstore Part 2 – The Magic Behind

    In my previous post, Implementing Containers’ Secure Supply Chain with Sigstore Part 1 – Signing with Existing Keys, I went over the Cosign experience of signing images with existing keys. As I concluded there, the signing was easy to achieve, with just a few hiccups here and there. It does seem that Cosign does a…

    ,
    , , ,
  • Implementing Containers’ Secure Supply Chain with Sigstore Part 1 – Signing with Existing Keys

    Implementing Containers’ Secure Supply Chain with Sigstore Part 1 – Signing with Existing Keys

    Today, the secure supply chain for software is on top of mind for every CISO and enterprise leader. After the President’s Executive Order (EO), many efforts were spun off to secure the supply chain. One of the most prominent is, of course, Sigstore. I looked at Sigstore more than a year ago and was excited…

    , ,
    , , , ,
  • Signatures, Key Management, and Trust in Software Supply Chains – Part 2: Exploiting Signatures

    Signatures, Key Management, and Trust in Software Supply Chains – Part 2: Exploiting Signatures

    In Part 1 of the series Signatures, Key Management, and Trust in Software Supply Chains, I wrote about the basic concepts of identities, signatures, and attestation. In this one, I will expand on the house buying scenario, that I hinted about in Part 1, and will describe a few ways to exploit it in the…

    ,
    , ,
  • Signatures, Key Management, and Trust in Software Supply Chains – Part 1: Identities, Signatures and Attestation

    Signatures, Key Management, and Trust in Software Supply Chains – Part 1: Identities, Signatures and Attestation

    For the past few months, I’ve been working on a project for a secure software supply chain, and one topic that seems to always start passionate discussions is the software signatures. The President’s Executive Order on Improving the Nation’s Cybersecurity (EO) is a pivotal point for the industry. One of the requirements is for vendors…

    ,
    , ,