Securing the Supply Chain with Sigstore Artifacts Signatures at Scale - Dmitry Savintsev & Yonghe Zhao, Yahoo

less than 1 minute read

Abstract

An exploration into Yahoo’s year-long integration journey of Sigstore, enhancing Supply Chain Security through verifiable “certificates of origin” for artifacts. Despite the challenges of scaling Sigstore in a high-traffic environment, the Paranoids — Yahoo’s information security organization — successfully secured around 60,000 daily builds, spanning 700 clusters and 100,000 pods. Join us as we: * Showcase the image signing and verification process, sharing insights from our experiences. Learn about the enhancements we implemented in Sigstore and cosign to achieve an “enterprise-grade” deployment at Yahoo’s scale. * Delve into how we adapted these components to Yahoo’s corporate environment where we have our own certificate authority and identity provider (Athenz). Attendees will leave this session with the knowledge to seamlessly implement Sigstore in their Continuous Integration (CI) pipelines, customized to their specific components and enterprise architecture.

Sched URL

Video