A new course from the Linux Foundation on the edX platform aims to educate the industry on how to digitally sign software artifacts. Targeted at both software developers and DevOps and security engineers, it focuses on using the Sigstore toolkit to secure the software supply chain.
Sigstore is really upping its game. Supporting new tools, like GitSign which I recently covered, it produces announcements, consortiums and educational material. It really is taking supply chain security seriously.
For those still not aware of the concept, the desired outcome is to protect the software supply chain.
How can this be achieved?
By signing every component along the chain, a product would prove its authenticity. That’s what Signstore does; by empowering software developers to securely sign software artifacts such as release files, container images and binaries. These signatures are then stored in a tamper-proof public log – for free.
Towards that goal Sigstore releases tools and sets up the infrastructure. The following tools are under the Sigstore umbrella:
a certificate authority for issuing signing certificates
the tamper-proof public log for recording supply chain metadata
a tool for signing containers and blobs
a tool that allows you to sign your commits in a keyless fashion by using your GitHub / OIDC identity
But the tools mean nothing without documentation and training in applying them to real use cases. For that reason the Linux Foundation, in partnership with Chainguard, has launched this new course. Note that the Foundation is very interested in software security in general, and also offers a 3-course Professional Certificate In Secure Software Development Fundamentals on edX which educates developers in:
the fundamentals of developing secure software. Geared towards software developers, DevOps professionals, software engineers, web application developers, and others interested in learning how to develop secure software, this course focuses on practical steps that can be taken, even with limited resources, to improve information security.
Securing Your Software Supply Chain with Sigstore, in contrast, it is not about strengthening your code, but about strengthening its supply chain. As such this course targets software developers, DevOps engineers, security engineers, software maintainers, and related roles. Therefore you will need to be familiar with Linux terminals and using command line tools and have knowledge of cloud computing and DevOps concepts.
It starts by teaching you the basics such as: “What is Software Supply Chain Security?” and defines key terms and concepts like SLSA and SBOM. By the end, you’ll have learned how to set up your own Sigstore Rekor server with hands-on labs and code examples.
The syllabus is as follows:
- Chapter 1. Introducing Sigstore
- Chapter 2. Cosign: Container Signing, Verification, and Storage in an OCI Registry
- Chapter 3. Fulcio: A New Kind of Root Certificate Authority For Code Signing
- Chapter 4. Rekor: Software Supply Chain Transparency Log
- Chapter 5. Sigstore: Using the Tools and Getting Involved with the Community
The course is self paced and typically requires 7 weeks to complete if dedicating 1–2 hours per week to it. While it is free to audit if you want to engage in the graded assignments and exams and earn a certificate there’s an optional upgrade costing $149. We’ve repeatedly reported that gaining certification is likely to enhance your career prospects and also that employers, keen to hire and retain those with open source skills are increasingly willing to pay for course completion. Following the Verified Track option also gives you unlimited access to the course, whereas you only have around 8 weeks on the free, audit, track.
In summary, this is a first class opportunity to make yourself part of the software supply ecosystem by learning how to fortify it.
Securing Your Software Supply Chain with Sigstore
Protect The Software Supply Chain With Gitsign
Does Sigstore Really Secure The Supply Chain?
The State Of Secure Software Development – Three OpenSSF Courses
It Pays To Get Certification
Get Certified, Earn More
Growing Demand For Open Source Talent
Professional Credentials For Computer Science Careers