SEANK.H.LIAO

software supply chain tooling

tools for securing software production

software supply chain tools

so how do you sign all the stuff

grafeas

grafeas is an API server for storing artifact metadata in your own DB. Eg, store in-toto layout / link files in grafeas and pull from there when you need it, or store CVEs and occurrences of CVEs in there to query later.

in-toto

in-toto is both a metadata standard and set of libraries/tools to declare the steps in a software supply chain with authorizations (who is allowed to do what), and verify them. What you get are signed metadata files:

sigstore

sigstore is a suite of tools for signing/verify artifacts. What you get:

the update framework

the update framework (TUF) is a general process and metadata specs for ensuring you get trusted updates. You get signed metadata files of the following: