SigstoreCon Supply Chain Day

Join us for SigstoreCon, a one-day conference dedicated to Sigstore and software supply chain security! Over the past few years, we have seen a dramatic rise in software supply chain attacks affecting both open source and closed source projects. To mitigate these threats, there is a need for a supply chain metadata, such as provenance attestations, which provide a stronger binding between source and binary artifacts, or SBOMs which list dependencies present in artifacts. Sigstore provides a trust foundation for supply chain metadata, by dramatically simplifying the creation and verification of digital signatures.

Sigstore is a set of open source projects and services that removes the need to manage signing keys by leveraging workload and developer identities and adds transparency and auditability to all created signatures. Since Sigstore’s creation in 2021, Sigstore has been widely adopted by open source projects such as Kubernetes, Kyverno and GoReleaser, package registries such as npm with Sigstore-signed SLSA build provenance and PyPI with index support for attestations, and industry with GitHub’s Artifact Attestations, which backs Homebrew’s build provenance.

Attendees will learn more about Sigstore, with talks from Sigstore maintainers, package registry maintainers, and open source contributors and industry professionals who have integrated Sigstore into their build and release pipelines. Attendees will also learn more about related software supply chain efforts such as in-toto, SLSA, The Update Framework (TUF), binary transparency, and more!