sigstore: How We Started, Where We Are, Where We are Headed

The presentation discusses the importance of supply chain security and how Six Store is working towards simplifying the process of signing and verifying artifacts.

• Six Store has developed a process for signing and verifying artifacts to ensure supply chain security
• The process involves creating a signature, verifying the signature, and storing the artifact in a transparency log
• Six Store is working towards simplifying the process to make it more accessible to developers of all skill levels
• The company is also working on signing more types of artifacts and working with policy bundles to ensure trust in the supply chain
• Six Store aims to be the Let's Encrypt for code signing and is working on building robust and audited infrastructure for this purpose

The presenter demonstrates the complicated process of signing and verifying artifacts, highlighting the need for a simpler solution. Six Store's process involves creating a signature, verifying the signature, and storing the artifact in a transparency log. The company is working towards simplifying this process to make it more accessible to developers of all skill levels.

sigstore is a project under the Linux foundation to provide a non profit , public good software security cryptographic signing service. You can think of it like the 'Lets Encrypt' for software signing. If you have not heard of it yet, you certainly will soon. sigstore is used to protect kubernetes release container images and verify them directly in kubernetes release infrastructure. Many other communities are also in the process of looking at how they can implement sigstore (python, rubygems, wasm, maven). The sigstore community is made up of security experts from the communities such as TUF, Kubernetes, in-toto and engineers from Red Hat, Google, Smallstep, VMWare and many more.