spire VS cosign

wget https://github.com/spiffe/SPIRE/releases/download/v1.11.2/SPIRE-1.11.2-linux-amd64-musl.tar.gz tar zvxf SPIRE-1.11.2-linux-amd64-musl.tar.gz cp -r spire-1.11.2/. /opt/spire/

If this seems a bit complicated, you could use SPIRE server to issue certificates and Otterize SPIRE integration operator to renew them in Kubernetes and update Secrets.

BlindSPOT: https://blindspotsec.com/ Specific graphic from BlindSPOT: https://blindspotsec.com/wp-content/uploads/2021/04/Failure_Before.jpg How to Measure Anything in Cybersecurity Risk: https://www.amazon.com/dp/B01J4XYM16/ Monte Carlo simulation approach: https://embracethered.com/blog/posts/2020/red-teaming-and-monte-carlo-simulations/ D3FEND: https://d3fend.mitre.org/ ATT&CK mappings: https://github.com/center-for-threat-informed-defense/attack-control-framework-mappings ATT&CK evals: https://attackevals.mitre-engenuity.org/index.html CALDERA: https://github.com/mitre/caldera Offensive Countermeasures: https://www.amazon.com/dp/1974671690/ SPIFFE: https://spiffe.io/ SPIRE: https://github.com/spiffe/spire Zerotier: https://www.zerotier.com/ Zerotier libzt: https://github.com/zerotier/libzt

The effort to get this going seems the same or more than to get something like this rolling out. spire what do you see as the benefit of your approach.

Flux uses cosign

Verifies downloads using cosign and PGP (via gopenpgp), ensuring the integrity and authenticity of tool binaries.

SigStore project, including its cosign tool, implements simple signing, storage, and verification of artifacts.

RubyGems now supports sigstore.dev, which aims to improve the security of the software supply chain. Sigstore is a series of mechanisms that provide automated signing for the software supply chain. If you pass the file path to a Sigstore Bundle generated using cosign or sigstore-ruby to --attestation, you can upload the Gem signature to RubyGems.

Cosign: In this context, Cosign from the Sigstore project offers a compelling solution. Its simplicity, registry compatibility, and effective link between images and their signatures provide a user-friendly and versatile approach. The integration of Fulcio for certificate management and Rekor for secure logging enhances Cosign's appeal, making it particularly suitable for modern development environments that prioritize security and agility.

sigstore is another suite of tools that focuses on attestation and provenance. Within the suite are two tools I heard mentioned a few times at KubeCon: Cosign and Rekor.

Since we can distribute Spin applications using popular registry services, we can also take advantage of ecosystem tools such as Sigstore and Cosign, which address the software supply chain issue by signing and verifying applications using Sigstore's new keyless signatures (using OIDC identity tokens from providers such as GitHub).

Use distroless images (which contain only application and its runtime dependencies, and don't include package managers/shells or any other programs you would expect to find in a standard Linux distribution). All distroless images are signed by cosign.

$ COSIGN_EXPERIMENTAL=1 cosign verify-blob --cert https://github.com/sigstore/cosign/releases/download/v1.13.1/cosign-linux-amd64-keyless.pem --signature https://github.com/sigstore/cosign/releases/download/v1.13.1/cosign-linux-amd64-keyless.sig https://github.com/sigstore/cosign/releases/download/v1.13.1/cosign-linux-amd64