Would you make a sandwich with lettuce or tomatoes you picked up off the street? For most people, we hope, the answer is "no". We like to know that our ingredients are clean, who produced them and if they're safe to eat. Today many of us build software with 3rd party packages but there either isn't enough metadata or we're all too lazy to determine if they're truly safe to use. We risk accidentally shipping broken, vulnerable or dangerous software through compromised credentials, dependency confusion attacks or any of the many other techniques malicious actors have at their disposal.
Sigstore, an OpenSSF project to make cryptographic signing of artifacts easy to do and to verify, is a core part of solving the dependency trust problem. In this talk, by two of the sigstore-java maintainers, we will be introducing you to the Sigstore project and it's use with Maven Central. We’ll show how you, as a producer or consumer of Maven Central artifacts, can use Sigstore to sign and verify your artifacts and protect yourself and your users from malicious software supply chain attacks.
Appu is a Software Engineer on the Google Open Source Security Team (GOSST) with a focus on securing the open source software supply chain. He has no actual ghost busting abilities, but has a decade of experience in Java developer tooling.
Patrick Flynn works on software supply chain security for Chainguard. Prior to Chainguard Patrick led worked at Google where he was the TL of notable products like reCAPTCHA, Cloud Code, as well as leading the Google Cloud's Java Tools team that built Jib (the Java container image builder).