A new Linux Foundation course on edX aims to educate the industry on how to digitally sign software artifacts. Aimed at both software developers and DevOps and security engineers, it focuses on using the Sigstore toolkit to secure the software supply chain.
Sigstore is really upping its game. Supporting new tools, like GitSign which I recently covered, it produces announcements, consortia, and educational materials. He really takes supply chain security seriously.
For those new to the concept, the desired outcome is to protect the software supply chain.
How can this be accomplished?
By signing each component of the chain, a product would prove its authenticity. This is what Sigstore does; by allowing software developers to securely sign software artifacts such as release files, container images, and binaries. These signatures are then stored in a tamper-proof public journal – free of charge.
To this end, Sigstore publishes tools and sets up the infrastructure. The following tools are under the Sigstore umbrella:
a certification authority for issuing signing certificates
the tamper-proof public log to record supply chain metadata
a tool to sign containers and blobs
a tool that allows you to sign your commits without a key using your GitHub / OIDC identity
But the tools mean nothing without documentation and training to apply them to real use cases. That’s why the Linux Foundation, in partnership with Chainguard, has launched this new course. Note that the Foundation is very interested in software security in general, and also offers a 3 course Professional certificate on the fundamentals of secure software development on edX which educates developers on:
the basics of secure software development. Aimed at software developers, DevOps professionals, software engineers, web application developers, and others who want to learn how to develop secure software, this course focuses on the practical steps that can be taken, even with limited resources, to improve information security.
Secure your software supply chain with Sigstore, on the other hand, it is not a question of strengthening your code, but of strengthening its supply chain. As such, this course targets software developers, DevOps engineers, security engineers, software maintainers, and related roles. Therefore, you will need to be familiar with Linux terminals and the use of command line tools and have knowledge of cloud computing and DevOps concepts.
It starts by teaching you the basics such as: “What is software supply chain security?” and defines key terms and concepts such as SLSA and SBOM. By the end, you will have learned how to set up your own Sigstore Rekor server with hands-on labs and sample code.
The program is as follows:
- Chapter 1. Introducing Sigstore
- Chapter 2. Cosign: signing, verifying, and storing containers in an OCI registry
- Chapter 3. Fulcio: a new type of root CA for code signing
- Chapter 4. Rekor: Software Supply Chain Transparency Log
- Chapter 5. Sigstore: Using Tools and Getting Involved in the Community
The course is self-paced and typically takes 7 weeks if you commit 1-2 hours per week. While it’s free to audit if you want to participate in graded assignments and exams and earn a certificate, an optional upgrade costs $149. We have repeatedly reported that earning a certification is likely to improve your career prospects and also that employers, eager to hire and retain those with open source skills, are increasingly willing to pay for course completion. Following the Verified Track option also gives you unlimited access to the course, while you only have about 8 weeks on the free audit track.
In summary, this is a first-class opportunity to become part of the software delivery ecosystem by learning how to strengthen it.
Protect the software supply chain with Gitsign
Does Sigstore really secure the supply chain?
The State of Secure Software Development – Three OpenSSF Courses
Get Certified, Earn More
Professional titles for IT careers