Supply Chain Security with sigstore ⛓

This week, we have a new episode of the Kubelist Podcast with Dan Lorenc to talk about sigstore. Supply chain attacks and security is a hot topic, but Dan has been thinking about it and working on it for a while.

Issue #139

The project starts here. This is the sigstore site that contains all three projects: Cosign, Rekor, and Fulcio. We talk about each of these projects on the podcast this week, but there’s a lot more detail on the site, including how to get started.

Many of us in the Go community use GoReleaser to create our releases and container images. Fresh off the press, GoReleaser v0.176.0 has native support for using cosign to sign container images. This is going to make it much easier to start shipping signed images! 🖊

Mentioned on the podcast this week, the SLSA framework is a great tool to measure your organization’s progress toward building a secure supply chain. It doesn’t matter where you are today, this framework can help you score it, set a goal, and then hopefully reach it to start consuming bits from a more secure supply chain. 🧰️ 🔗

A great whitepaper from the tag-security team that includes supply chain security and so much more for those of us writing for and running Kubernetes applications. This is a great resource, full of useful information for anyone running a K8s cluster. 🔐

Priya was on the Kubernetes Podcast recently to talk about some of the same topics as Dan discussed on the Kubelist podcast today. Priya shared more detail on the SLSA framework, and some other topics, and this is a great episode to listen to. 🔒 ⛓

Another recent podcast with Dan, from our friends over at Reblaze, making Curiefence. Dan has a lot to offer on the topic of supply chain security, so we wanted to make sure everyone saw this episode too!

Supply Chain Sunday from our guest this week! This was a good article that helped explain some of the concepts in supply chain security, and full of fun puns!