Software artifacts go through a production lifecycle and it's important to have visibility into this lifecycle for security purposes. Digests or hashes can be used to verify the integrity of files. Asymmetric encryption is used for trust on the internet. Mechanisms like signatures and provenance attestations help ensure a trusted origin for software artifacts. The SLSA project provides a standardized schema for provenance attestations. Sigstore simplifies software signatures and provides a tamper-proof paper trail for artifacts.
Table of contents
Digests and signaturesDon’t just sign— attestWhat does it take to build something like this?Sort: