Should we trust the code we run in production? Not if a motivated attacker can compromise our system’s complex supply chains. While hardened runtimes and detection can mitigate some zero day attacks, malicious internal threat actors and software implants are much harder to detect. Supply chain security looks to address some of these concerns, but with so many signing options available to us, what do we really care about? Our source code, open source dependencies, CI/CD, built containers, vendor software — or the hardware and operating systems we run on? Securing the whole supply chain is a non-trivial task, and requires consideration at all of these levels. In this talk we: - Undertake a risk-based threat model of supply chain attacks against our systems - Compare the open source supply chain security controls available to us - Examine trusted execution environments and their security properties - Propose a solution for end to end supply chain security