SigstoreCon Supply Chain Day 2024

In Sigstore, the signer information is embedded from OIDC tokens into the signing certificate. Among those information, the Subject Alternative Name (SAN) is the most crucial piece representing the signer's primary identity. Picking the proper attribute as SAN is not easy; there is no one-size-fits-all answer. This is especially obvious when CI platforms are involved, with so many attributes describing the repository owner, source code, builder, etc. Which one makes the most sense as the primary identity? In this session, we will walk through a common mistake people make when using Sigstore in conjunction with GitHub Actions. We will also discuss the differences in understanding the SAN of Fulcio certificates issued to different CI platforms (e.g., GitHub Actions and GitLab pipeline) due to their behavior differences. More importantly, we will discuss what you should think about when using Sigstore on those CI platforms.