The Sched app allows you to build your schedule but is not a substitute for your event registration. You must be registered for KubeCon + CloudNativeCon Europe 2025 to participate in the sessions. If you have not registered but would like to join us, please go to the event registration page to purchase a registration.
Please note: This schedule is automatically displayed in British Summer Time (BST) (UTC +1). To see the schedule in your preferred timezone, please select from the drop-down menu to the right, above "Filter by Date." The schedule is subject to change and session seating is available on a first-come, first-served basis.
Software distribution encompasses not only images but also binaries, which are often distributed outside of OCI registries, such as through websites or package managers. It is essential for teams to produce SBOMs for these binaries and distribute them together. Ensuring the security of these binaries is as critical as securing regular OCI artifacts. While existing tools like GPG can perform basic signing tasks, they lack extensibility and do not offer fine-grained signature verification.
Notation from the Notary Project addresses these limitations by enabling the signing of arbitrary blobs beyond regular OCI artifacts. It also provides verification based on fine-grained trust policies, thereby enhancing security. Furthermore, Notation's plugin model allows for flexible and robust security measures tailored to specific needs.
In this session, Shiwei will demonstrate how Notation performs blob signing and verification, showcasing its application in securing binary releases of software.
