CloudNativeSecurityCon North America 2024

Have you heard of projects like Sigstore’s Cosign, Notation, The Update Framework (TUF), or in-toto before? What’s one thing they all have in common? They cryptographically sign things. In this talk there will be no explanations of elliptic curves, discussion about what prime numbers have to do with cryptography, or modular exponentiation. Instead, we’ll talk about how the above tools work from a practical perspective covering key algorithms, signing envelopes, certificates, and verification. First, we’ll take a brief look at the differences between signing and verification versus encryption and decryption. Building on this, we’ll look at the different design decisions made by Cosign, Notation, TUF, and in-toto’s Witness project. Finally, we’ll walk through the emerging trend of identity-based signing using short-lived keys and certificates, including verification of a signature using nothing besides the openssl and shasum CLI commands.