BEGIN:VCALENDAR
VERSION:2.0
PRODID:-//pretalx//pretalx.com//yocto-embedded-recipes-2026//talk//QFK9UH
BEGIN:VTIMEZONE
TZID:CET
BEGIN:STANDARD
DTSTART:20001029T040000
RRULE:FREQ=YEARLY;BYDAY=-1SU;BYMONTH=10
TZNAME:CET
TZOFFSETFROM:+0200
TZOFFSETTO:+0100
END:STANDARD
BEGIN:DAYLIGHT
DTSTART:20000326T030000
RRULE:FREQ=YEARLY;BYDAY=-1SU;BYMONTH=3
TZNAME:CEST
TZOFFSETFROM:+0100
TZOFFSETTO:+0200
END:DAYLIGHT
END:VTIMEZONE
BEGIN:VEVENT
UID:pretalx-yocto-embedded-recipes-2026-QFK9UH@pretalx.com
DTSTART;TZID=CET:20260529T151000
DTEND;TZID=CET:20260529T154000
DESCRIPTION:The EU Cyber Resilience Act (CRA) and U.S. Executive Order 1402
 8 have transformed Software Bills of Materials (SBOMs) from optional docum
 entation into mandatory\ncompliance artifacts. However\, most Yocto-based 
 projects generate SBOMs without cryptographic signatures\, leaving them vu
 lnerable to tampering to bypass security\nreviews. An unsigned SBOM provid
 es transparency but not integrity or authenticity.\n\nThis talk introduces
  a drop-in Yocto layer that automatically signs every generated SBOM using
  Cosign (from the Sigstore project) and enables\ndownstream users\, custom
 ers\, and auditors to cryptographically verify SBOM authenticity. Develope
 rs simply add the layer and configure a signing key\nevery image build the
 n produces a signed SBOM alongside standard artifacts. \n\nThe solution in
 tegrates seamlessly with existing workflows and requires no changes to app
 lication code.\n\nAttendees will learn how to implement end-to-end SBOM si
 gning in their Yocto projects and provide customers with\ncryptographic pr
 oof that their SBOMs are authentic and unmodified.
DTSTAMP:20260530T105815Z
LOCATION:Mistral
SUMMARY:Securing the Software Supply Chain: Automated SBOM Signing in Yocto
  - Yogesh Hegde
URL:https://pretalx.com/yocto-embedded-recipes-2026/talk/QFK9UH/
END:VEVENT
END:VCALENDAR