Conference:  KubeCon + CloudNativeCon North America 2022

Authors: Justin Cappos, Marina Moore

2022-10-27

Description: As supply chain security has garnered a lot of attention recently, software signing and verification has emerged as a vital step in the process of distributing software. However, a signature alone is insufficient for ensuring the security of a software artifact. Come learn about The Update Framework (TUF), the technology used by sigstore, Notary, Google Fuchsia, and more to not only sign software, but determine which keys should be used and prevent known attacks on software update systems. We will give an overview of TUF that describes its security features and how it has been integrated into fields as diverse as container registries and automobiles. We will also discuss new features we are working on to better support secure software distribution at scale, usability, and some emerging uses of TUF.