"How to Build and Ship More Secure Python Apps with Sigstore" Software supply chain security is increasingly important to the open-source ecosystem, but the learning curve can be steep. Certificate authorities, transparency logs, keys, signing… and even keyless signing! What do these terms all mean and how can a Python developer incorporate tools that make their projects more secure?
This talk will provide a high-level overview of the developer-first open-source project, Sigstore, within the Python context. We’ll go through each component of Sigstore, including how to sign a software artifact with Cosign, how Fulcio issues certificates, and finally how developers and end users alike can verify claims made on the Rekor public ledger. We’ll discuss how PyPI is leveraging Sigstore to help with verifying and trusting dependencies we all rely on. Finally, we’ll go through a demonstration of creating, publishing and signing a containerized Python app.
The audience will walk away with an understanding of how they can navigate software security more effectively and be better citizens of open source by implementing recommended security practices. Speaker: Lisa Tagliaferri
Lisa Tagliaferri builds teams, technical resources, and open-source software in the tech startup space. Lisa is currently Head of Developer Education at Chainguard and an adjunct professor at Rutgers University. Lisa previously led the Developer Education teams at Sourcegraph and at DigitalOcean. Lisa has written popular open-access books and tutorials on Python, machine learning, Linux, and cloud infrastructure, drawing over 45 million global readers.