Caleb Woodbine 🎺🐛<p>Tomorrow I'm speaking at the Auckland Kubernetes Meetup.<br>Alongside Jonas, who is talking about "AI Assisted DevSecOps", I'm talking about "Secure software supply chain with Sigstore".</p><p><a href="https://www.meetup.com/auckland-kubernetes/events/305896235/" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">meetup.com/auckland-kubernetes</span><span class="invisible">/events/305896235/</span></a></p><p>Hope to see you there!</p><p><a href="https://mastodon.nz/tags/kubernetes" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>kubernetes</span></a> <a href="https://mastodon.nz/tags/cncf" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>cncf</span></a> <a href="https://mastodon.nz/tags/auckland" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>auckland</span></a> <a href="https://mastodon.nz/tags/sigstore" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>sigstore</span></a> <a href="https://mastodon.nz/tags/slsa" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>slsa</span></a></p>
Recent searches
No recent searches
Search options
Only available when logged in.
shakedown.social is one of the many independent Mastodon servers you can use to participate in the fediverse.
A community for live music fans with roots in the jam scene. Shakedown Social is run by a team of volunteers (led by @clifff and @sethadam1) and funded by donations.
Administered by:
Server stats:
285active users
shakedown.social: About · Status · Profiles directory · Privacy policy
Mastodon: About · Get the app · Keyboard shortcuts · View source code · v4.3.4
#sigstore
0 posts · 0 participants · 0 posts today
mgorny-nyan (he) :autism:🙀🚂🐧<p><a href="https://social.treehouse.systems/tags/SigStore" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>SigStore</span></a> claim: it has multiple clients and it's easy to use.</p><p>Reality:</p><p><a href="https://social.treehouse.systems/tags/Cosign" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Cosign</span></a> defaults to using a bundle format that doesn't seem to be supported by SigStore-python at all. You have to explicitly pass `--new-bundle-format` to create compatible signatures.</p><p>You also have to explicitly pass `--new-format` when verifying. Otherwise, Cosign will give you a completely confusing message:</p><p>Error: bundle does not contain cert for verification, please provide public key</p><p>And of course it's quite hard to find any information on this. I've realized it only because I recalled a SigStore-related thread on discuss.python.org, and a single example of using Cosign to verify CPython signatures was given there.</p>
Bret Mogilefsky<p>Great news, it's now ridiculously easy to sign your commits with <a href="https://hachyderm.io/tags/SigStore" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>SigStore</span></a> and have <a href="https://hachyderm.io/tags/GitHub" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>GitHub</span></a> properly show them as verified! <br><a href="https://github.blog/changelog/2024-12-10-persistent-commit-signature-verification-is-generally-available/" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">github.blog/changelog/2024-12-</span><span class="invisible">10-persistent-commit-signature-verification-is-generally-available/</span></a></p>
Python Software Foundation<p>What has our Security Developer-in-Residence been up to? <span class="h-card" translate="no"><a href="https://fosstodon.org/@sethmlarson" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@<span>sethmlarson</span></a></span> was recently a guest on the Open Source Security Podcast to talk about the latest <a href="https://fosstodon.org/tags/security" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>security</span></a> work for <a href="https://fosstodon.org/tags/Python" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Python</span></a>, like <a href="https://fosstodon.org/tags/Sigstore" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Sigstore</span></a>, Software Bill-of-Materials (<a href="https://fosstodon.org/tags/SBOM" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>SBOM</span></a>), and how to support <a href="https://fosstodon.org/tags/opensource" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>opensource</span></a> security. Check it out!<br><a href="https://opensourcesecurity.io/2024/10/20/episode-451-python-security-with-seth-larson/" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">opensourcesecurity.io/2024/10/</span><span class="invisible">20/episode-451-python-security-with-seth-larson/</span></a></p>
GitHub<p>NEW: GitHub Artifact Attestations are now generally available! With the power of <a href="https://hachyderm.io/tags/sigstore" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>sigstore</span></a>, you can create unforgeable integrity and provenance guarantees for any software you build inside Actions.<br><a href="https://github.blog/changelog/2024-06-25-artifact-attestations-is-generally-available/" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">github.blog/changelog/2024-06-</span><span class="invisible">25-artifact-attestations-is-generally-available/</span></a></p>
phillmv<p>I can finally talk about what we've been working on for the past two years(!)</p><p>Using <a href="https://hachyderm.io/tags/sigstore" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>sigstore</span></a>, GitHub now supports artifact signing, which allows you to create unforgeable provenance guarantees for any software you build inside Actions.</p><p>It's been a heck of a ride, & you can read more about (and learn how to use it) here:</p><p><a href="https://github.blog/2024-05-02-introducing-artifact-attestations-now-in-public-beta/" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">github.blog/2024-05-02-introdu</span><span class="invisible">cing-artifact-attestations-now-in-public-beta/</span></a></p>
phillmv<p>We’re starting to go public with our work on supply chain security & <a href="https://hachyderm.io/tags/Sigstore" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Sigstore</span></a> in particular.</p><p>First up, on why you should start attesting your software’s builds:</p><p><a href="https://github.blog/2024-04-30-where-does-your-software-really-come-from/" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">github.blog/2024-04-30-where-d</span><span class="invisible">oes-your-software-really-come-from/</span></a></p>
Risotto Bias<p>other than <span class="h-card" translate="no"><a href="https://social.rust-lang.org/@rust" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@<span>rust</span></a></span> 's "we don't want TUF but we want to start with almost TUF, extend it, and accidentally build TUF but different*"[1][2]...</p><p>...I kinda haven't seen any good pro/con/alternative docs on things besides <a href="https://tech.lgbt/tags/TUF" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>TUF</span></a> or <a href="https://tech.lgbt/tags/sigstore" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>sigstore</span></a> (okay, in-toto is... different. as is <a href="https://tech.lgbt/tags/gittuf" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>gittuf</span></a>) </p><p>heck, Python adopted it.</p><p>Golang's metadata/proxy stuff is slightly different...</p><p>I guess what I'm saying is there's opportunity for a cool writeup on package and language supply chain security landscapes.</p><p>lighter threat models, the difference between git, language, OS, and cluster threat models,</p><p><a href="https://tech.lgbt/tags/trdl" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>trdl</span></a> <a href="https://tech.lgbt/tags/automotivelinux" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>automotivelinux</span></a> <a href="https://tech.lgbt/tags/rustlang" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>rustlang</span></a> <a href="https://tech.lgbt/tags/InToto" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>InToto</span></a> <a href="https://tech.lgbt/tags/opa" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>opa</span></a> </p><p>[1] Rust <a href="https://foundation.rust-lang.org/news/2023-12-21-improving-supply-chain-security/" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">foundation.rust-lang.org/news/</span><span class="invisible">2023-12-21-improving-supply-chain-security/</span></a><br>[2] Rust <a href="https://github.com/rust-lang/rfcs/pull/2474" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">github.com/rust-lang/rfcs/pull</span><span class="invisible">/2474</span></a><br>[3] PyPi <a href="https://peps.python.org/pep-0458/" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="">peps.python.org/pep-0458/</span><span class="invisible"></span></a><br>[4] Ocaml <a href="https://opam.ocaml.org/blog/Signing-the-opam-repository/" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">opam.ocaml.org/blog/Signing-th</span><span class="invisible">e-opam-repository/</span></a><br>[5] <a href="https://github.com/php-tuf/php-tuf" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="">github.com/php-tuf/php-tuf</span><span class="invisible"></span></a> (old not official)<br>[6] Haskell <a href="https://www.well-typed.com/blog/2015/04/improving-hackage-security/" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">well-typed.com/blog/2015/04/im</span><span class="invisible">proving-hackage-security/</span></a><br>[7] *gestures wildly at sigstore/docker/kubernetes*</p><p>*(in the accent of zefrank1 of "true facts about..") "as rust developers are want to do. same same, but different."</p>
postmodern<p>Does anyone use sigstore to sign tar archives of released software? I'm not signing docker images, ELFs, EXEs, DMGs, etc, just a regular tar archive generated by <code>git archive</code> and uploaded to GitHub as a release artifact.<br><a href="https://infosec.exchange/tags/sigstore" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>sigstore</span></a> <a href="https://infosec.exchange/tags/cosign" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>cosign</span></a></p>
Mrinal Wadhwa<p>Secure-by-design systems - shrink the target.</p><p>• Rust - memory safety mistakes in your code cannot be used as a target.</p><p>• Sigstore - library & container dependencies cannot be used as a target.</p><p>• Ockam - systems that transport/store your data cannot be used as a target.</p><p>Drastically shrinking the target (your app's vulnerability surface) is the only practical approach to security for modern applications.</p><p><a href="https://hachyderm.io/tags/security" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>security</span></a> <a href="https://hachyderm.io/tags/securebydesign" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>securebydesign</span></a> <a href="https://hachyderm.io/tags/sigstore" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>sigstore</span></a> <a href="https://hachyderm.io/tags/ockam" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>ockam</span></a> <a href="https://hachyderm.io/tags/rustlang" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>rustlang</span></a></p>
ExploreLive feeds
Mastodon is the best way to keep up with what's happening.
Follow anyone across the fediverse and see it all in chronological order. No algorithms, ads, or clickbait in sight.
Create accountLoginDrag & drop to upload