Software supply chain security is increasingly important to the open source ecosystem, but the learning curve can be steep. Certificate authorities, transparency logs, keys, signing… and even keyless signing! What do these terms all mean and how can a Python developer incorporate tools that make their projects more secure?
This talk will provide a high-level overview of the developer-first open source project, Sigstore, within the Python context. We’ll go through each component of Sigstore, including how to sign a software artifact with Cosign, how Fulcio issues certificates, and finally how developers and end users alike can verify claims made on the Rekor public ledger. We’ll discuss how PyPI is leveraging Sigstore to help with verifying and trusting dependencies we all rely on. Finally, we’ll go through a demonstration of creating, publishing, and signing a containerized Python app.
The audience will walk away with an understanding of how they can navigate software security more effectively and be better citizens of open source through implementing recommended security practices.
This will be a hands on talk, with an introduction to the Sigstore project, a walk through, and a sample repo for demonstration.
