cdCon+GitOpsCon 2023

Recently there has been a large focus on software supply chain security across the industry. While much of this discussion has been focused on containers and other binary artifacts, source code is an equally critical component to sign and verify integrity in your supply chain (especially for GitOps workflows)! While Git commit signing has typically been done with GPG and more recently SSH keys, maintaining these long lived keys can often be a challenge, particularly in shared environments like CI/CD. In this talk, we'll take a look at some of these challenges as well as take a deep dive into Gitsign - a Sigstore project that brings "keyless" identity-based signing to Git. We'll walkthrough you can use Gitsign to cryptographically sign Git commits using OIDC based identities, how this can be beneficial over traditional signing methods to improve the security of source consumed and produced by your CI/CD and GitOps workflows, and how this can improve incident response in the event of a compromise.