What Does Rugby Have To Do With Sigstore?
This is a modal window.
The media could not be loaded, either because the server or network failed or because the format is not supported.
Formal Metadata
| Title |
| |
| Subtitle |
| |
| Title of Series | ||
| Number of Parts | 542 | |
| Author | ||
| Contributors | ||
| License | CC Attribution 2.0 Belgium: You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor. | |
| Identifiers | 10.5446/61968 (DOI) | |
| Publisher | ||
| Release Date | ||
| Language |
Content Metadata
| Subject Area | ||
| Genre | ||
| Abstract |
|
FOSDEM 2023137 / 542
2
5
10
14
15
16
22
24
27
29
31
36
43
48
56
63
74
78
83
87
89
95
96
99
104
106
107
117
119
121
122
125
126
128
130
132
134
135
136
141
143
146
148
152
155
157
159
161
165
166
168
170
173
176
180
181
185
191
194
196
197
198
199
206
207
209
210
211
212
216
219
220
227
228
229
231
232
233
236
250
252
256
258
260
263
264
267
271
273
275
276
278
282
286
292
293
298
299
300
302
312
316
321
322
324
339
341
342
343
344
351
352
354
355
356
357
359
369
370
372
373
376
378
379
380
382
383
387
390
394
395
401
405
406
410
411
413
415
416
421
426
430
437
438
440
441
443
444
445
446
448
449
450
451
458
464
468
472
475
476
479
481
493
494
498
499
502
509
513
516
517
520
522
524
525
531
534
535
537
538
541
00:00
Menu (computing)Right angleSign (mathematics)6 (number)Medical imagingSoftwareMultiplication sign
01:38
Software developerSystem programmingPoint cloudOpen sourceComputer-generated imageryRun time (program lifecycle phase)ChainSource codeEvent horizonIntegrated development environmentInformation securitySoftware frameworkCollaborationismLevel (video gaming)ChecklistData integritySoftwareGeometryDiagram6 (number)Similarity (geometry)Medical imagingComputer virusOpen sourceMereologyProjective planeElectronic mailing list
02:41
Information securityChainConnectivity (graph theory)Online helpGame theoryPosition operatorComputer animation
03:01
6 (number)BitComputer animation
03:13
Identity managementSoftwareComputer-generated imageryAutomationProcess (computing)RootWeightDisk read-and-write headMotion capturePublic key certificateLink (knot theory)Formal verificationSoftware developerPublic key certificateKey (cryptography)RootOrder (biology)6 (number)SoftwareLink (knot theory)Physical systemEncryptionField (computer science)Open sourceSoftware frameworkInformationPosition operatorTheory of relativityIdentity managementPerspective (visual)AuthorizationStreaming mediaYouTubeRange (statistics)NP-hardDependent and independent variablesSoftware maintenanceMetadataClient (computing)Hash functionTrigonometric functionsSign (mathematics)Game theoryCodeFreewareMedical imagingElectric generatorBitSoftware developerIntegrated development environmentUsabilityToken ringChainInternet service providerSlide ruleWeightElectronic signatureFamilyAdditionConfiguration spaceComputer animation
Transcript: English(auto-generated)
00:06
Be quiet. This is James Strong and Lewis Denham. What else do we have to do with the 6th store?
00:20
Hello everyone. My name is James Strong and we're going to talk about rugby and 6th store today. But something really interesting is happening today right now. So Seven Nations started today and Wales and Ireland are playing. What's the score right now, Lewis? I think we should concentrate on the talk. I think it would be most enjoyable. Last time we checked it was 3.27 Ireland. Where are you from? Wales.
00:43
Anyway, awesome. So like I said, my name is James Strong. I'm a Solutions Architect at ChainGuard. I do a bunch of stuff with networking and Kubernetes. And if you're here to win the book, meet me outside afterwards. If you sign a container image during the talk and come hang out with me, I've got five copies of my book.
01:01
So sign your container images, everyone. And if I broke your Ingress Engine X release on Thursday, I apologize. Please don't come outside and hang out with me. Hi everyone. I'm Lewis. I'm similar to James in ways, not in others. As well as being at ChainGuard, I'm the coach for Rubina Squirrel's Underage Rugby team.
01:24
That's why you're listening today to a talk about 6th store and rugby from myself. If you won't mind keeping the score away from me, we're Wales versus Ireland right now. That would be beneficial for my own sanity. So at ChainGuard, we support a lot of open source projects.
01:42
We're talking today about 6th store, but we're also part of Salsa, doing some assessments here. We've got Tekton, Knative, OpenSSF, and Disreverse. Does anybody use any or all of those? I do. There's a couple on there that aren't listed. Like I said, Ingress Engine X, ChainGuard supports me to support Ingress.
02:02
We also have our own container image out there. It's called Wolfie. You can check that out, wolfie.dev. Like I said, we're going to talk about 6th store and rugby today. Okay, so who here has heard of 6th store prior to walking into this room? Okay, we've got a couple. Thank you for coming. Who here has heard of rugby today prior to coming into this room?
02:22
Yes, hello. So when we submitted this talk, James found this very special diagram. And when we zoom in, we can see the similarities between 6th store and rugby for this talk. Incidentally, this lasts about 22 minutes, hence why we've had such a long introduction.
02:41
So what do people think rugby is? It's really not doing a haka. It looks cool and intimidates your opponents, but that's not really what it is. It's a very difficult game with highly specialized positions. And it was required to help everyone work together to achieve a goal. And that's really what we think 6th store is and what we want to talk about. So there's lots of components about it, and we think that 6th store is tackling supply chain security.
03:04
And we're going to talk about how, why, and hopefully make it fun along the way. And learn a little bit about rugby and 6th store, and probably a lot about neither. So why is 6th store tackling supply chain security? It has started to improve the supply chain technology that we all use.
03:21
It's made by open source maintainers for open source maintainers. A lot of you may not be aware, but a lot of things are being signed right now. So thank you to Adolfo there from SigRelease for signing all of the Kubernetes releases with 6th store. Thank you. That was a lot of hard work. I know PyPy, a lot of package maintainers are going to be supporting that.
03:41
I know Maven, so there's a lot of people that are using 6th store. You might not even be aware that you're using it. But it's a direct response to some of the challenges that are there right now. So who here has had someone else sign their GPG key? Been through a signing party? Two, three people? Four? Okay.
04:01
I was really glad not everyone shot their hand up, because that would have been really fun. Anyway, we're going to talk about how we're going to be doing that. Not knowing where your software comes from, and without having identity checks and safety protocols, we're leaving it open to exploits and attacks.
04:22
So 6th store attempts to make software and their infrastructure frictionless and invisible. And as James just mentioned, we're integrated with a wide range of systems.
05:05
...to an identity and know where it came from and who made that piece of software. And just like in 6th store, Rugby also has lots of positions that are available, highly specialized. I play a hooker. That's much different than what a fullback would do.
05:22
We all have different responsibilities to be able to win the game. So we're going to tie those two together. I'm going to start off at the very top of the play. So we're going to talk about trust roots. So with signing, it requires trust. So knowing who is making available this piece of software.
05:43
So think of it from a PKI perspective. We have a root of trust in SSL certificates. What we're also trying to accomplish with 6th store is that same root of trust. So think of automated software for SSL certificates.
06:02
I was thinking of Johnny Sexton. Oh, Johnny Sexton. That's not the answer. But think of it from that perspective. So 6th store has a root of trust. It was initialized with TUF, so the updated framework. Let's Encrypt. Let's Encrypt. Thank you. Thank you for that. Let's Encrypt. Think about 6th store as Let's Encrypt for software signing artifacts. Making it easy and transparent for everyone to use.
06:22
So the fly half is a very influential player on the field. And in order to start that root of trust, we have to have that trust there. So there's a bunch of links there. We actually did a live stream of the 6th store key signing. If you want to figure out how they initialized that and did all that work, that's a great YouTube video from that.
06:42
So going from the fly half to the loose head, from a play perspective, they're going to be the certificate authority. So now we've got our root of trust. We have our certificate authority to be able to produce those certificates to sign those artifacts. So a lot of responsibility is on the CA from that perspective.
07:01
And of course, being a loose head, you carry a lot of weight on the team. You're very important into the scrum. So again, very important position on the team. So OIDC allows us to identify the end user. We obtain some basic information about the user and Falsio uses OIDC to authenticate requests.
07:22
Subject related claims can be extracted and included on the certificate. 6th store runs a federated OIDC identity provider in DEX, which creates a DEX OIDC token from the original OIDC. Falsio supports OIDC from additional configured users, issuers, sorry, as we can see from the screenshot.
07:42
And the player that we selected for this was Martin Casio Giovanni. Does anyone know if Martin Casio Giovanni? No? Okay, well, there's something learned today. He's a massive identity within the Italian game, even though he's originally from Argentina. And the reason I selected him is because you can identify him because of his sleeve with all the identities of his family members on his arm.
08:02
Next slide. And so now we've come to Falsio. Falsio is the API that drives all of this, that ties the OIDC and the certificate authority together. So when you're making a request to get a signing certificate, you're doing it through Falsio. And we put that together with the hooker. And yes, I was self-serving, that is me.
08:21
And do feel sorry for that guy. So Falsio is a free code signing certificate authority. Anyone can make a request to get a signing certificate, tie it to their identity, and make it available for everyone to verify. They are short-lived certificates, so that's going to come into play from another piece of technology perspective. We're going to talk a little bit more about that with ReCore.
08:44
So with ReCore, it provides the usability with ephemeral certificates. It's based on a Merkle tree, and it fulfills the transparency log, which means that it's searchable for all. So you can use that URL there to be able to search via your browser, or you can use ReCore CLI to be able to search. So for this one, I'm looking towards Martin Johnson.
09:01
Again, as a Welsh person, for putting all these names out is quite difficult for me. But Martin Johnson was a powerhouse for England. He was a captain who led them to numerous victories. But the reason why this is comparable to ReCore is he went on to a successful coaching career as well, providing insights for the next generation as to how to play the game. Yes, next slide, please.
09:23
So we want to take some time and talk a little bit about how a developer interacts with that. So when we think about it from a rugby perspective, the scrum half is the connector between the forwards and the backs from that perspective. And cosine is that glue that ties all of these pieces together.
09:41
Think of it like kubectl, right? You don't actually directly interact with the API. You do it through kubectl. Cosine is how you do that with Falsio and ReCore and the rest of the other SIG store environments. So you can actually sign and verify signatures. It also creates in total attestation. So if you wanted to generate and sign other metadata about your container images,
10:03
maybe how many CVEs are in it, if you're generating an SBALM, things like that, other metadata, you can make available, sign it, and store it with the container. All of that can be done through cosine. And we're not talking about just container images as well. That's where it's highly targeted right now, but you can also sign other pieces of information.
10:21
So when I send, as for fun, when I send documents to clients nowadays, I also sign it and it generates the hash of the document and the signature and they know that that document came from me. So it's basically a free DocuSign. So this is Gareth Edwards. He was an influential player in the 70s, played 88 consecutive games for Wales,
10:43
and one of the key reasons to our success in the 70s, not so much in the 2020s. And yes, Scrum Half is instrumental in communicating between the backs and the forwards within a game, which I can also see with cosine. Not necessarily cosine in rugby, but yes, next slide.