The Sched app allows you to build your schedule but is not a substitute for your event registration. You must be registered for SigstoreCon Supply Chain Day 2024 to participate in the sessions. If you have not registered but would like to join us, please go to the event registration page to purchase a registration.
Please note: This schedule is automatically displayed in Mountain Standard Time.To see the schedule in your preferred timezone, please select from the drop-down located at the bottom of the menu to the right.
The schedule is subject to change.
Sign up or log in to bookmark your favorites and sync them to your phone or calendar.
2024 has been quite the year for client libraries as well as Sigstore deployments: with betas of Homebrew's build provenance, Maven Central accepting Sigstore signatures, and PyPI's publish attestation. These deployments (and the client libraries they use) store content in Sigstore protocol buffer formats: signed material in bundles and verification material in trusted roots. There's a number of advantages to using these formats, but unfortunately cosign does not default to using them. It's important for the ecosystem to be interoperable, so we're working on updating cosign to default to these formats, including commands to help folks transition from their existing usage. In this talk we'll go over what that plan looks like, what progress we've made so far, and get your feedback on what else we need to consider to help cosign keep up with the client libraries.
Zach is slowly learning more about gardening and welding. When he's at the keyboard he likes working on home automation, biking, and helping secure open source software. A housing inspector once called his electrical work "amateurish".
