10-26, 17:55–18:00 (Europe/Berlin), Main stage
The practice of maintaining a Secure Software Supply Chain (S3C) helps provide actionable insight for developers consuming upstream packages. However, in the industry’s efforts to shift security left, the Software Supply Chain often ignores the “final mile” of the manufacturing and delivery of applications to consumers’ devices. In this talk, we will talk about the history, current status and future of code signing and how it can be leveraged to ship secure applications at massive scale.
Code-signing solutions like sigstore come close to addressing the concerns in today’s talk, but they aren’t meant to replace the authority of operating system level trust. Consumer-facing desktop and mobile platforms (Windows, macOS, Android, etc.) have applications that must be signed with developer certificates, but the process of attaining such code-signing certs is gatekept by these companies. While it could be argued that they are doing their best to secure their platforms for their end-users, ultimately they are applying anti-competitive approaches no longer in line with the general ethos and ability of open-source community solutions. This talk dives into the respective platforms from the perspective of application developers and outlines the procedures (both technical and legal) for signing, publishing, and distributing applications. Finally, a potential way forward will be outlined.