logo

Secure Your Project with the SIG Release Supply Chain Kit

2023-04-20

Authors:   Carlos Panato, Adolfo García Veytia


Summary

The presentation discusses the release toolkit and its use in securing the supply chain for software development projects.
  • The release toolkit generates binaries, checksums, and signatures for release artifacts
  • It includes provenance attestation and S-BOM SPDX
  • The toolkit can be used with GitHub actions and is language-agnostic
  • The Salsa tester creates SLSA attestations and can be used with S-BOMs generated by other tools
  • The toolkit uses OIDC tokens from GitHub to generate temporary certificates for attestation
  • The toolkit can be used to donate repositories to Kubernetes organization
The presenters discussed how they had been working on the toolkit for a year to ensure that it could build their projects and seek release. They had received feedback that it was difficult to start using the toolset they put out, so they made sure it worked well with GitHub actions and called it the release toolkit. They donated the new repo to Kubernetes organization so that it could be used externally. They also mentioned that they were working on language plugins to make the toolkit more language-agnostic.

Abstract

Over the past two years, Kubernetes SIG Release shifted focus from automating the k8s release process to building stronger security features. And now, all the work done by the Release Engineering team has been packaged into really cool tools that anybody can use to harden their project's supply chain security stance. Our toolkit lets users pick and choose from the same components that our Release Managers use to secure the Kubernetes releases with features like: * Software Bill of Materials * Signed SLSA provenance attestations * Signed container images and artifacts * Secure GitHub release pages The tools can work with any project, no need to be part of the Kubernetes family! In this talk, puerco will showcase how these tools are in use today, helping secure the releases of other projects across the Cloud Native landscape, including Knative, Istio, Cilium, CRI-O, Vitess, and others. He will show simple examples to achieve better supply chain security in your project by signing artifacts, creating SBOMs, and provenance data just as big OSS projects do it. All using helpful reusable GitHub actions. The talk will close with a shameless call for contributors passionate about CI/CD and software supply chain security to come and join the Kubernetes Release Engineering team!

Materials: