Understanding the Identity ofa CI Platform

November 12, 2024

9

Understanding the Identity of a CI Platform

Presented at SigstoreCon 2024

Richard Fan

November 12, 2024

More Decks by Richard Fan

See All by Richard Fan

You Don’t Need to Be a Hero to Contribute

0

5

JAWS Pankration 2024 - Achieve software supply chain security using AWS Nitro Enclaves and GitHub Actions

0

70

Preserving privacy on data collaboration with AWS Clean Rooms

0

53

Achieve software supply chain security using AWS Nitro Enclaves and GitHub Actions

0

170

When Data Collaboration Meets Privacy: Privacy-enhancing Technologies on AWS

0

62

AWS Security Hub Central Configuration - An Easy way to monitor your Organization security posture

0

75

Create your first AWS Nitro Enclaves application

0

70

Building Security Data Lake

0

22

Other Decks in Technology

See All in Technology

AI フレンドリーなエラー監視を TypeScript で実現する

2

230

チームで実践する AI-DLC 思考の軌跡を残すチェックポイント設計

0

1.7k

サイバーセキュリティ概論 / Introduction to Cybersecurity

PRO

0

120

大学生が本気でDatabricksを活用してDiscordサークルをデータ駆動させてみた

1

330

Javaで学ぶSOLID原則

1

270

oracle-to-databricks-migration-with-llm-and-dbt

1

410

電子辞書Brainをネットに繋げてみた(自力編)

0

420

製造業のクラウド活用最適解〜AI，DXを加速するデータ基盤の作り方〜

0

300

地元にいないローカルオーガナイザーの立ち回り

1

430

「気づいたら仕事が終わっている」バクラクAIエージェント本番運用の裏側 / layerx-bakuraku-aie2026

13

7.2k

形式手法特論：公平性制約の位相的特徴づけ #kernelvm / Kernel VM Study Kansai 12th

1

680

Claude Codeを組織で使いこなす— サーバサイドAIエージェント運用の実践知

PRO

0

170

Featured

See All Featured

The Mindset for Success: Future Career Progression

PRO

0

350

[RailsConf 2023] Rails as a piece of cake

59

6.6k

State of Search Keynote: SEO is Dead Long Live SEO

0

200

How To Stay Up To Date on Web Technology

790

250k

Distributed Sagas: A Protocol for Coordinating Microservices

333

22k

Mozcon NYC 2025: Stop Losing SEO Traffic

1

250

Digital Ethics as a Driver of Design Innovation

PRO

1

300

Efficient Content Optimization with Google Search Console & Apps Script

PRO

1

590

How GitHub (no longer) Works

316

150k

Noah Learner - AI + Me: how we built a GSC Bulk Export data pipeline

PRO

0

190

Design and Strategy: How to Deal with People Who Don’t "Get" Design

133

19k

Amusing Abliteration

1

190

Transcript

None
Richard Fan Understanding the Identity of a CI Platform
Who am I • Security Engineer • AWS Security Hero
• Amateur hacker OSCP – but forgot how to try harder • Love travel, hiking • Have a cat
Who am I • 10 Nov, 2024 @Brian Head
(Refresher) Fulcio
(Refresher) Fulcio
Reusing other’s identity
Victim? … argo-cd
Victim? … argo-cd Pass the check!!!
Check more extension --certificate-github-workflow-repository "argoproj/argo-cd"
Extension verification support Not Supported Only for GitHub New OID
scheme • sigstore-js (Was supported, but removed) • sigstore-rs (No stable release yet) • sigstore-ruby (No stable release yet) • policy-controller (Possible with attestation) • sigstore-python (CLI) • cosign • sigstore-java (With some tricks) • sigstore-python (API) • sigstore-go (Undocumented function) NewCertificateIdentity()
No one size fit all
No one size fit all GitHub GitLab
No one size fit all If you think some mapping
is not right? Raise a PR!! https://github.com/sigstore/fulcio/blob/main/config/identity/config.yaml
How to find me [email protected] richardfan1126 @richardfan1126