Not all that’s signed is secure: Verify the right way with TUF and Sigstore
At the inaugural CloudNativeSecurityCon in Seattle, former Chainguard intern Marina Moore (PhD candidate at NYU) and Chainguard research scientist Zack Newman took to the stage to present their talk: "Not All That’s Signed Is Secure: Verify the Right Way with TUF and Sigstore” on how the Sigstore and The Update Framework (TUF) open source projects can be used to create verification policies to secure software supply chains of all shapes and sizes.
Key Takeaways
Software signing helps with an important (but not exhaustive) class of supply chain attacks.
Even then, verifying the wrong way can render your signing scheme useless: just “signing” isn’t sufficient.
It’s tricky to create the right verification policy, which tells you how to verify, because of the potential of subtle attacks; The Update Framework (TUF) is a great way to build smart-but-flexible verification policies for your needs.
TUF and Sigstore are a match made in heaven: easy signing, with rigorous verification policies.
To learn more, please watch the talk, check out the slide deck, and get involved with the Sigstore and TUF projects. Not ready to build your own verification policies from scratch? Chainguard Enforce has built-in support for verification policies that support TUF and Sigstore, and any other policies for securing your software supply chain.
Share this article
Related articles
- Engineering
It’s time to rethink golden images. Chainguard can help.
Chainguard helps teams build developer-centric golden image programs with zero-CVE, purpose-built containers—balancing speed, security, and standardization.
Sam Katzen, Staff Product Marketing Manager
- Engineering
Why building from source matters
Chainguard SVP of Engineering Dustin Kirkland discusses why Chainguard builds every package, library, and image directly from source and why the approach works.
Dustin Kirkland, SVP of Engineering
- Engineering
Accelerating Platform Adoption with Developer Trust
Chainguard helps Platform teams drive adoption with zero-CVE, customizable container images that make internal development platforms secure, fast, and trusted.
Sam Katzen, Staff Product Marketing Manager, and Matt Stead, Marketing
- Engineering
A Gift for the Open Source Community: Chainguard’s CVE-Free Raspberry Pi Images (Beta)
Chainguard has created the first-ever CVE-free, vulnerability-free Raspberry Pi image. Learn more about how it works and what makes this special.
Dustin Kirkland, SVP of Engineering
- Engineering
How CTOs Can Justify Technology Investments to the Board
Learn how CTOs can tie technology investments to increasing revenue, speeding innovation, and reducing risk and cost to drive positive business outcomes.
Matt Moore, CTO and Co-founder
- Engineering
Guest Post: Resiliency by Design and the Importance of Internal Developer Platforms
Gaurav Saxena, a Director of Engineering at an automotive company, talks through how internal developer platforms are an important part of resiliency by design.
Gaurav Saxena, Director of Engineering, Automotive Company