Securing the Software Supply Chain with the in-toto and SPIRE projects - Cole Kennedy & Mikhail Swift BoxBoat Technologies
Abstract
A software supply chain is the set of steps required to test, build, deploy, and assure a software release. Verification of the build policy through a cryptographically attestable process is required to give software artifact consumers the confidence to install software releases on mission-critical systems. In this talk, we will discuss the current gaps in the open-source eco-systems and demonstrate a cryptographically attestable software pipeline with automated certificate issuance.