SigstoreCon Supply Chain Day 2024

In the evolving landscape of software supply chain security, Red Hat has embarked on a transformative journey, fully embracing the Sigstore ecosystem. Today, Red Hat's internal product pipelines rely on Sigstore’s Cosign to sign software releases, and Rekor provides an immutable transaction log, enabling customers to verify the integrity of downloaded software artifacts. This integration has been pivotal in ensuring the trustworthiness of the software that Red Hat distributes. As we navigated the intricacies of this integration, we gained deep insights into how Sigstore functions, encountered and overcame various challenges, and refined our approach to secure software delivery. In deploying Sigstore internally, we faced a number of obstacles that could make it challenging for large enterprises to adopt Sigstore for their own software delivery supply chains. We want to share with you how we overcame these challenges, and how we think the Sigstore ecosystem of services can be improved. Join us as we take you through Red Hat’s journey with Sigstore —sharing valuable lessons learned, highlighting the pitfalls we encountered, and showcasing how we fortified our software supply chain.

In Sigstore, the signer information is embedded from OIDC tokens into the signing certificate. Among those information, the Subject Alternative Name (SAN) is the most crucial piece representing the signer's primary identity. Picking the proper attribute as SAN is not easy; there is no one-size-fits-all answer. This is especially obvious when CI platforms are involved, with so many attributes describing the repository owner, source code, builder, etc. Which one makes the most sense as the primary identity? In this session, we will walk through a common mistake people make when using Sigstore in conjunction with GitHub Actions. We will also discuss the differences in understanding the SAN of Fulcio certificates issued to different CI platforms (e.g., GitHub Actions and GitLab pipeline) due to their behavior differences. More importantly, we will discuss what you should think about when using Sigstore on those CI platforms.