Good examples of role-based CI/CD approval process signing/key construction/verification
13 views
Skip to first unread message
Matt Rutkowski
Aug 19, 2021, 1:18:14 PM8/19/21
to The Update Framework (TUF)
TUF community,
I have scanned many videos found on youtube and elsewhere from conferences showing end-artifact/package manager signing, but would like to have one that goes back further to actual commits (committers) and artifacts produced along the CI/CD pipelines.
Anything at all in towards this use case realization would be appreciated.
Cheers,
Matt
PS TBH, I am looking to create even further processes for OSS clearance as well to prove pedigree and provenance as well before allowing packages to be brought into other projects as deps. ... but CI/CD is a starting point.
Santiago Torres Arias
Aug 19, 2021, 1:35:00 PM8/19/21
to Matt Rutkowski, The Update Framework (TUF)
Hi Matt.
I think in-toto (or a combination thereof) may be better suit for this.
I think Trishank may be able to elaborate on how he achieved this within
Datadog.
Cheers!
-Santiago
> --
> You received this message because you are subscribed to the Google Groups "The Update Framework (TUF)" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to theupdateframew...@googlegroups.com.
> To view this discussion on the web visit https://urldefense.proofpoint.com/v2/url?u=https-3A__groups.google.com_d_msgid_theupdateframework_4c2c7440-2D8a7f-2D4b86-2Dbfd5-2D9cdeba0738ffn-2540googlegroups.com&d=DwIBaQ&c=slrrB7dE8n7gBJbeO0g-IQ&r=yZMPY-APGKyVIX7HgQFZJA&m=9oCfxjO2tNnPGT3e_9wSnV84W_LkdEUoe_7B8U0to0s&s=mhJqi0-lyc-UNeTsB9FV2m0fxoR-DSkiTV9eGF3yIPo&e= .
I think in-toto (or a combination thereof) may be better suit for this.
I think Trishank may be able to elaborate on how he achieved this within
Datadog.
Cheers!
-Santiago
> You received this message because you are subscribed to the Google Groups "The Update Framework (TUF)" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to theupdateframew...@googlegroups.com.
> To view this discussion on the web visit https://urldefense.proofpoint.com/v2/url?u=https-3A__groups.google.com_d_msgid_theupdateframework_4c2c7440-2D8a7f-2D4b86-2Dbfd5-2D9cdeba0738ffn-2540googlegroups.com&d=DwIBaQ&c=slrrB7dE8n7gBJbeO0g-IQ&r=yZMPY-APGKyVIX7HgQFZJA&m=9oCfxjO2tNnPGT3e_9wSnV84W_LkdEUoe_7B8U0to0s&s=mhJqi0-lyc-UNeTsB9FV2m0fxoR-DSkiTV9eGF3yIPo&e= .
Trishank Kuppusamy
Aug 19, 2021, 2:04:36 PM8/19/21
to The Update Framework (TUF)
On Thursday, August 19, 2021 at 1:35:00 PM UTC-4 sant...@nyu.edu wrote:
I think in-toto (or a combination thereof) may be better suit for this.
I think Trishank may be able to elaborate on how he achieved this within
Datadog.
Matt, please see our blog post on how we secured our Agent integrations pipeline using TUF and in-toto to thwart MitM attacks anywhere between end-users and developers. Hope it helps. Let us know if you have questions!
Reply all
Reply to author
Forward
0 new messages