Yogesh Hegde
Yogesh Hegde is an Embedded Linux enthusiast with 8 years of experience building custom Linux systems for IoT and edge devices. He works extensively with Yocto, kernel development, and edge AI. Yogesh is passionate about open source and enjoys mentoring engineers and building efficient systems for constrained hardware.
Session
The EU Cyber Resilience Act (CRA) and U.S. Executive Order 14028 have transformed Software Bills of Materials (SBOMs) from optional documentation into mandatory
compliance artifacts. However, most Yocto-based projects generate SBOMs without cryptographic signatures, leaving them vulnerable to tampering to bypass security
reviews. An unsigned SBOM provides transparency but not integrity or authenticity.
This talk introduces a drop-in Yocto layer that automatically signs every generated SBOM using Cosign (from the Sigstore project) and enables
downstream users, customers, and auditors to cryptographically verify SBOM authenticity. Developers simply add the layer and configure a signing key
every image build then produces a signed SBOM alongside standard artifacts.
The solution integrates seamlessly with existing workflows and requires no changes to application code.
Attendees will learn how to implement end-to-end SBOM signing in their Yocto projects and provide customers with
cryptographic proof that their SBOMs are authentic and unmodified.