The Open Source Security Foundation (OpenSSF) has developed a free course for software developers, DevOps engineers, security engineers, and software maintainers son how to use Sigstore’s toolkit to its full potential.

The course: Securing Your Software Supply Chain with Sigstore (LFS182x) is available on the Linux Foundation Training & Certification platform and is designed with end users of Sigstore tooling in mind. Building and distributing software that is secure throughout its entire lifecycle can be challenging, leaving many projects unprepared to build securely by default. Attacks and vulnerabilities can emerge at any step of the chain, from writing to packaging and distributing software to end users. Sigstore is one of several innovative technologies that have emerged to improve the integrity of the software supply chain, reducing the friction developers face in implementing security within their daily work.

This course will introduce you to Cosign, Fulcio, and Rekor, the tools under the Sigstore umbrella, explaining how they support a more secure software supply chain. You will learn how to employ these tools throughout your software development, testing, and distribution processes. Additionally, those who use or implement your software will be able to verify its authenticity through tamper-resistant public logs.

Upon completing this course, participants will be able to inform their organization’s security strategy and build software more securely by default. The hope is this will help you address attacks and vulnerabilities that can emerge at any step of the software supply chain, from writing to packaging and distributing software to end users.

To make the best use of this course, you will need to be familiar with Linux terminals and using command line tools. You will also need to have intermediate knowledge of cloud computing and DevOps concepts, such as using and building containers and CI/CD systems like GitHub Actions.

Both the course and certificate of completion are free. It is entirely online, takes about 8 hours to complete, and you can go at your own pace.

Begin "Securing Your Software Supply Chain with Sigstore" course (LFS182x)