Zero Trust Supply Chains with Project Sigstore and SPIFFE

The presentation discusses the importance of securing software supply chains and introduces Spiffy and Spire as solutions. It also highlights the intersection of Spiffy and Spire with Project Six Store.

• Software supply chains are vulnerable to attacks and require secure solutions
• Spiffy and Spire provide a secure identity framework for managing the lifecycle of identity and reducing the likelihood of breaches
• Spiffy and Spire create an identity control plane and abstraction that simplifies high velocity pki and roll binding
• Project Six Store intersects with Spiffy and Spire by providing a secure and scalable platform for storing and sharing software artifacts

The speaker mentions that mean people like to mess with software at every step of the supply chain, and that the industry has struggled to find a good foundation for securing every piece of the software supply chain. However, with initiatives like the executive order mandating certain levels of supply chain readiness and efforts to catalog cloud native supply chain compromises, it is a good time to be in the space and solve this problem. Spiffy and Spire provide a solution to this problem by creating a secure identity framework and reducing the utility time of credentials in the event of exfiltration.

In order to ensure the trustworthiness of your software supply chain, maintainers must restate a number of assumptions. As opposed to inherently trusting build systems to serve accurate package metadata, we propose verification of every claim in the chain against the actors and tasks involved in the process. The combination of cryptographically verifiable identities with the use of transparency logs provides a novel approach to accomplish so and increase the security guarantees of your release artifacts.Project Sigstore provides a toolkit to allow organizations to publish verifiable provenance about publicly distributed artifacts. This metadata is in turn stored on the Sigstore Binary Transparency Log (Rekor), signed and verified by use of Keyless Signatures (Cosign) and the Sigstore Certificate Authority (Fulcio), and stored in an OCI registry where it can be verified, discovered, and used in policy engines. Backed by SPIFFE’s reference implementation SPIRE, all cryptographic operations are rooted in a strongly attested universal identity control plane for distributed systems.This presentation will demonstrate how a zero trust supply chain architecture can be applied to build systems, through the use of Sigstore and SPIRE for a Federated, Verifiable, Zero-Trust Supply Chain. Additionally, TektonCD will be used as the example build system and in-toto as the example provenance format.