Config Management Camp 2023 Ghent

Demystifying Code signing and its role in DevSecOps
2023-02-07, 14:50–15:15, B.3.037

The Solarwinds hack made headlines by directly attacking the software supply chain. To mitigate such attacks in the future we need an automated approach to digitally signing and checking software components that verify the origins and authenticity of the software. The purpose of this talk is to introduce the audience to Code signing, its role in DevSecOps and get familiar with the sigstore project.

Code signing is extremely important when it comes to the development, distribution and utilization of software, especially Open source software. In spite of developers realizing its importance they often struggle with implementation due to its complexity and inefficiency. In this talk, we will look at what role Code signing plays in DevSecOps, what have been the traditional challenges when implementing it. Next we will introduce the sigstore project and how it aims to be the standard for signing, verifying and protecting software and why developers should be using it. This talk is targeted towards Beginner and Intermediate developers who are interested in DevSecOps and specifically Code Signing.


1) Quick intro to DevSecOps
2) Introduction to Code signing and its purpose
3) Role of Code signing in DevSecOps
4) Past challenges in implementation of Code signing
5) Introduction to sigstore project
6) Purpose of sigstore and how it can help developers

Towards the end of the talk, the audience can relate to the challenges that code signing, verification presents to the developers and get introduced to the sigstore project as one of the possible solutions for it. In addition they will understand basics of how sigstore works, how it can possibly interoperate with other DevOps tooling and its benefits.

See also: Slides

Gaurav is a seasoned Software Engineering professional, currently working as a Senior Product Security Architect at Red Hat. His primary interests are Security, Linux, Malware. He loves working on the command-line and is mostly interested in low-level software and understanding how things work.