Enhancing artifact security with GitHub Artifact Attestations

In the evolving landscape of software development, ensuring the integrity of build artifacts like container images is crucial. GitHub Artifact Attestations is an artifact signing solution and PKI built on open source software like TUF and Sigstore. In this talk, I'll discuss and demonstrate how to use Artifact Attestations to generate signed SLSA attestations, and verifying their origin and authenticity. By the end of this session, you'll have a good understanding of how open source tools like Sigstore, in-toto, SLSA and TUF can collectively strengthen the security of the software supply chain.