Skip to main content

Securing Your Software Supply Chain with Sigstore

Gain the knowledge and skills necessary to secure the integrity of your software by leveraging the Sigstore toolkit, a free and open source project that offers automated signing and verification across release files, container images, binaries, bill of material manifests, and more.

...
Securing Your Software Supply Chain with Sigstore

There is one session available:

45 already enrolled!
After a course session ends, it will be archivedOpens in a new tab.
Starts Jun 24

Securing Your Software Supply Chain with Sigstore

Gain the knowledge and skills necessary to secure the integrity of your software by leveraging the Sigstore toolkit, a free and open source project that offers automated signing and verification across release files, container images, binaries, bill of material manifests, and more.

Securing Your Software Supply Chain with Sigstore
Estimated 7 weeks
1–2 hours per week
Self-paced
Progress at your own speed
Free
Optional upgrade available

There is one session available:

After a course session ends, it will be archivedOpens in a new tab.
Starts Jun 24

About this course

Skip About this course

Building and distributing software that is secure throughout its entire lifecycle can be challenging, leaving many projects unprepared to build securely by default. Attacks and vulnerabilities can emerge at any step of the chain, from writing to packaging and distributing software to end users. Sigstore is one of several innovative technologies that have emerged to improve the integrity of the software supply chain, reducing the friction developers face in implementing security within their daily work.

This course is designed with end users of Sigstore tooling in mind: software developers, DevOps engineers, security engineers, software maintainers, and related roles. To make the best of this course, you will need to be familiar with Linux terminals and using command line tools. You will also need to have intermediate knowledge of cloud computing and DevOps concepts, such as using and building containers and CI/CD systems like GitHub actions.

This course will introduce you to Cosign, Fulcio, and Rekor, the tools under the Sigstore umbrella, explaining how they support a more secure software supply chain. You will learn how to employ these tools throughout your software development, testing, and distribution processes. Additionally, those who use or implement your software will be able to verify its authenticity through tamper-resistant public logs.

Upon completing this course, you will be able to inform your organization’s security strategy and build software more securely by default.

At a glance

  • Institution: LinuxFoundationX
  • Subject: Computer Science
  • Level: Introductory
  • Prerequisites:
    • Familiarity with using the command line
    • Intermediate knowlegde of cloud computing and DevOps concepts, such as containers, CI/CD systems, GitHub actions, etc.
    • Familiarity with using and building container images
  • Language: English
  • Video Transcript: English

What you'll learn

Skip What you'll learn
  • Describe the components of Sigstore and how they support a more secure software supply chain.

  • Sign and verify software artifacts with Sigstore.

  • Understand how to implement Sigstore within the software development lifecycle.

  • Welcome!
  • Chapter 1. Introducing Sigstore
  • Chapter 2. Cosign: Container Signing, Verification, and Storage in an OCI Registry
  • Chapter 3. Fulcio: A New Kind of Root Certificate Authority For Code Signing
  • Chapter 4. Rekor: Software Supply Chain Transparency Log
  • Chapter 5. Sigstore: Using the Tools and Getting Involved with the Community
  • Final Exam (verified track only)

About the instructors

Who can take this course?

Unfortunately, learners residing in one or more of the following countries or regions will not be able to register for this course: Iran, Cuba and the Crimea region of Ukraine. While edX has sought licenses from the U.S. Office of Foreign Assets Control (OFAC) to offer our courses to learners in these countries and regions, the licenses we have received are not broad enough to allow us to offer this course in all locations. edX truly regrets that U.S. sanctions prevent us from offering all of our courses to everyone, no matter where they live.

Interested in this course for your business or team?

Train your employees in the most in-demand topics, with edX for Business.