2024-11-16 –, LT9
Language: 漢語
Organizations are challenged in ensuring that the container image they are deploying is exactly what was produced in development and nothing has changed before it runs in production. Cryptographic signing of container images helps to verify the integrity of the image and makes sure it has not been tampered since its creation. Verification of the image signature also confirms that the expected software creator, whose identity was certified at the moment of signing, published the container image in their possession.
In this presentation, I will use an open source project “Sigstore”: a cryptographic signature tool that is for improving software supply chain security. The Sigstore framework empowers software developers and consumers to securely sign and verify software artifacts. Signatures are generated with ephemeral signing keys so there’s no need to manage keys. Signing events are recorded in a tamper-resistant public log so software developers can audit signing events.
Frankie Ng - Associate Principal Solution Architect
Frankie Ng is an IT professional focusing on Open Source technology. Frankie has years of experience in IT infrastructure, automation, IaaS and cloud. He believes Open Source, sharing and community are the keys for technology innovation.
Frankie joined Red Hat in 2016 as Solution Architect covering Hong Kong and Taiwan. He helped enterprises to drive digital transformation projects including hybrid cloud strategy, DevOps and container adoption and IT automation.