Over the last couple of years, we’ve seen signed provenance adopted by package registries to provide authenticity and integrity for artifacts, with transparency logs used to record signatures for discoverability of key and identity usage. How can we further leverage transparency to protect all parties involved in the production of software, adding transparency for producers, consumers and distributors?
This talk will delve into software supply chain security for package registries, applying transparency systems to secure publication and distribution. We’ll discuss points of compromise along the software development lifecycle, such as a compromised registry and the risk of compromised user accounts, and propose leveraging binary transparency systems to mitigate these risks. Transparency systems will be used to secure publication with signed artifacts and provide verification policies that map keys and identities to their artifacts. Registries will host binary transparency logs to record package publications to provide a consistent view for consumers and provide a verifiable lookup for package versions. As we scale up the number of transparency logs, so too must we scale up monitoring, so we’ll wrap up by discussing strategies for claim verification.
Speaker
Hayden Blauzvern is a technical lead manager on Google’s Open Source Security Team, focused on making open-source software more secure through code signing and binary transparency. Hayden is a maintainer and the community chair on the Sigstore project.
