Loading…
November 12, 2024 | Salt Lake City, Utah
Learn More and Register to Attend

The Sched app allows you to build your schedule but is not a substitute for your event registration. You must be registered for SigstoreCon Supply Chain Day 2024 to participate in the sessions. If you have not registered but would like to join us, please go to the event registration page to purchase a registration.

Please note: This schedule is automatically displayed in Mountain Standard Time. To see the schedule in your preferred timezone, please select from the drop-down located at the bottom of the menu to the right.

The schedule is subject to change.
or to bookmark your favorites and sync them to your phone or calendar.
strong>Beginner [clear filter]
arrow_back View All Dates
Tuesday, November 12
 

2:50pm MST

Charting the Path to Software Integrity: Red Hat’s Journey with Sigstore - Lance Ball & Brian Cook, Red Hat
Tuesday November 12, 2024 2:50pm - 3:20pm MST
In the evolving landscape of software supply chain security, Red Hat has embarked on a transformative journey, fully embracing the Sigstore ecosystem. Today, Red Hat's internal product pipelines rely on Sigstore’s Cosign to sign software releases, and Rekor provides an immutable transaction log, enabling customers to verify the integrity of downloaded software artifacts. This integration has been pivotal in ensuring the trustworthiness of the software that Red Hat distributes. As we navigated the intricacies of this integration, we gained deep insights into how Sigstore functions, encountered and overcame various challenges, and refined our approach to secure software delivery. In deploying Sigstore internally, we faced a number of obstacles that could make it challenging for large enterprises to adopt Sigstore for their own software delivery supply chains. We want to share with you how we overcame these challenges, and how we think the Sigstore ecosystem of services can be improved. Join us as we take you through Red Hat’s journey with Sigstore —sharing valuable lessons learned, highlighting the pitfalls we encountered, and showcasing how we fortified our software supply chain.
Speakers
avatar for Lance Ball

Lance Ball

Engineering Manager / Sr. Principal Engineer, Red Hat
Lance is the engineering manager for Red Hat Trusted Artifact Signer and a senior principal engineer. Previously, Knative Steering Committee and Functions Working Group lead. He is an active open source contributor, an avid cyclist, and a committed sourdough bread baker. You can find... Read More →
avatar for Brian Cook

Brian Cook

Product Manager, Red Hat
Brian has worked on product build systems at Red Hat for 8 years. Co-founder of Konflux CI and Enterprise Contract projects. He believes there is a path to make continuous delivery and secure software supply chain coexist peacefully.
Tuesday November 12, 2024 2:50pm - 3:20pm MST
Alpine
  Case Studies

3:25pm MST

Understanding the Identity of a CI Platform - Richard Fan, N/A
Tuesday November 12, 2024 3:25pm - 3:40pm MST
In Sigstore, the signer information is embedded from OIDC tokens into the signing certificate. Among those information, the Subject Alternative Name (SAN) is the most crucial piece representing the signer's primary identity. Picking the proper attribute as SAN is not easy; there is no one-size-fits-all answer. This is especially obvious when CI platforms are involved, with so many attributes describing the repository owner, source code, builder, etc. Which one makes the most sense as the primary identity? In this session, we will walk through a common mistake people make when using Sigstore in conjunction with GitHub Actions. We will also discuss the differences in understanding the SAN of Fulcio certificates issued to different CI platforms (e.g., GitHub Actions and GitLab pipeline) due to their behavior differences. More importantly, we will discuss what you should think about when using Sigstore on those CI platforms.
Speakers
avatar for Richard Fan

Richard Fan

Cybersecurity Engineer, Independent
Richard is a Security Engineer and an AWS Security Hero. He is dedicated to helping people quickly adopt the cloud, promoting best practices, and streamlining cloud governance. Richard's experience over the years has allowed him to focus more on making security on the cloud easy... Read More →
Tuesday November 12, 2024 3:25pm - 3:40pm MST
Alpine
  Best practices in supply chain security
 
  • Filter By Venue
  • Filter By Type
  • Company
  • Session Slides Attached
  • Timezone

Share Modal

Share this link via

Or copy link

Filter sessions
Apply filters to sessions.
Filtered by Date -