Good examples of role-based CI/CD approval process signing/key construction/verification

6 views
Skip to first unread message

Matt Rutkowski

unread,
Aug 19, 2021, 1:18:14 PM8/19/21
to The Update Framework (TUF)
TUF community,

Looking for an example (or ref. implementation) of how TUF could be applied to DevSecOps roles as part of an automated CI/CD pipeline (ala Tekton), but inclusive of Committers/Owners and Release Managers. 

I have scanned many videos found on youtube and elsewhere from conferences showing end-artifact/package manager signing, but would like to have one that goes back further to actual commits (committers) and artifacts produced along the CI/CD pipelines.

Anything at all in towards this use case realization would be appreciated.

Cheers,
Matt

PS TBH, I am looking to create even further processes for OSS clearance as well to prove pedigree and provenance as well before allowing packages to be brought into other projects as deps. ...  but CI/CD is a starting point.

Santiago Torres Arias

unread,
Aug 19, 2021, 1:35:00 PM8/19/21
to Matt Rutkowski, The Update Framework (TUF)
Hi Matt.

I think in-toto (or a combination thereof) may be better suit for this.
I think Trishank may be able to elaborate on how he achieved this within
Datadog.

Cheers!
-Santiago
> --
> You received this message because you are subscribed to the Google Groups "The Update Framework (TUF)" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to theupdateframew...@googlegroups.com.
> To view this discussion on the web visit https://urldefense.proofpoint.com/v2/url?u=https-3A__groups.google.com_d_msgid_theupdateframework_4c2c7440-2D8a7f-2D4b86-2Dbfd5-2D9cdeba0738ffn-2540googlegroups.com&d=DwIBaQ&c=slrrB7dE8n7gBJbeO0g-IQ&r=yZMPY-APGKyVIX7HgQFZJA&m=9oCfxjO2tNnPGT3e_9wSnV84W_LkdEUoe_7B8U0to0s&s=mhJqi0-lyc-UNeTsB9FV2m0fxoR-DSkiTV9eGF3yIPo&e= .

signature.asc

Trishank Kuppusamy

unread,
Aug 19, 2021, 2:04:36 PM8/19/21
to The Update Framework (TUF)
On Thursday, August 19, 2021 at 1:35:00 PM UTC-4 sant...@nyu.edu wrote:

I think in-toto (or a combination thereof) may be better suit for this.
I think Trishank may be able to elaborate on how he achieved this within
Datadog.

Matt, please see our blog post on how we secured our Agent integrations pipeline using TUF and in-toto to thwart MitM attacks anywhere between end-users and developers. Hope it helps. Let us know if you have questions!
Reply all
Reply to author
Forward
0 new messages