Training > Cybersecurity > Securing Your Software Supply Chain with Sigstore (LFS182x)
Training Course

Securing Your Software Supply Chain with Sigstore (LFS182x)

Building and distributing software that is secure throughout its entire lifecycle can be challenging, leaving many projects unprepared to build securely by default. Attacks and vulnerabilities can emerge at any step of the chain, from writing to packaging and distributing software to end users. Sigstore is one of several innovative technologies that have emerged to improve the integrity of the software supply chain, reducing the friction developers face in implementing security within their daily work.

Course Rating
4.7/5 Stars
Who Is It For

This course is designed with end users of Sigstore tooling in mind: software developers, DevOps engineers, security engineers, software maintainers, and related roles. To make the best of this course, you will need to be familiar with Linux terminals and using command line tools. You will also need to have intermediate knowledge of cloud computing and DevOps concepts, such as using and building containers and CI/CD systems like GitHub Actions.
read less read more
What You’ll Learn

This course will introduce you to Cosign, Fulcio, and Rekor, the tools under the Sigstore umbrella, explaining how they support a more secure software supply chain. You will learn how to employ these tools throughout your software development, testing, and distribution processes. Additionally, those who use or implement your software will be able to verify its authenticity through tamper-resistant public logs.
read less read more
What It Prepares You For

Upon completing this course, you will be able to inform your organization’s security strategy and build software more securely by default.
read less read more
Course Outline
Welcome to LFS182x!
Chapter 1. Introducing Sigstore
Chapter 2. Cosign: Container Signing, Verification, and Storage in an OCI Registry
Chapter 3. Fulcio: A New Kind of Root Certificate Authority For Code Signing
Chapter 4. Rekor: Software Supply Chain Transparency Log
Chapter 5. Sigstore: Using the Tools and Getting Involved with the Community
Final Exam (Verified Certificate track only)

Prerequisites
Lab exercises have been tested with the following environment details:

  • Labs will work on Linux and macOS
  • Administrative access to enable installing software
    • We are assuming a local machine, but these commands should work on a Linux cloud instance as well
  • Internet connection
  • We recommend at least 2GB of RAM and a 64-bit CPU. 
  • You should have the latest version of Docker and Docker Compose installed, and an account on Docker Hub. At the time of writing (June 2022), Docker Engine should be version 20.10 and Docker Compose should be version 2.6. If you are on macOS, you will need to use Docker Desktop; refer to the official documentation for your operating system to ensure that your system meets the necessary requirements. Docker Desktop should be version 4.8 or higher.
  • You should have the latest version of Go installed, at the time of writing this is 1.18 (June 2022).
Reviews
Sep 2022
Good overall introduction.
Sep 2022
The exposition was clear and easy to follow. Labs were well done.
Aug 2022
I liked the practical coverage and use cases, which were a great starting point using Sigstore internally.
Aug 2022
The right amount of technical and hands on material!
Aug 2022
The explanation about cosign and SBOM was awesome!
Jul 2022
Simple, well explained walk through of new security tools.