Demystify Modern Signing: Keys, Certs, and Envelopes
Cutting Through the Cryptographic Confusion
At CloudNativeSecurityCon NA 2024, John Kjell delivered a masterclass in modern signing technologies. This talk stands out for its ability to take complex cryptographic concepts and make them accessible to developers and security professionals alike. John doesn't just explain what these tools do—he shows when and why to use each one.
The presentation addresses a critical gap in the industry: while everyone agrees that signing is important, there's massive confusion about how to actually implement it. Should you use GPG? Cosign? Notation? What's the difference between signing and encryption? John cuts through the noise with clear explanations and practical demonstrations.
The Evolution of Code Signing
What makes this talk particularly valuable is its historical context. John traces the evolution from PGP/GPG through to modern cloud-native signing tools, explaining why each generation of tools emerged and what problems they solved. He then looks forward to emerging patterns like keyless signing that promise to make cryptographic signatures as easy as pushing to Git.
The live demonstrations show real-world usage of each tool, helping attendees understand not just the theory but the practical implementation details that make the difference between secure and insecure systems.
Key Takeaways
Signing proves authenticity and integrity, while encryption provides confidentiality - they solve different problems
Modern signing has moved beyond GPG to tools designed for cloud-native workflows
Short-lived certificates and keyless signing eliminate the burden of long-term key management
Envelope formats like DSSE enable multiple signatures and rich metadata alongside artifacts
The ecosystem is converging on standards that work across different tools and platforms
Identity-based signing using OIDC providers makes signing accessible to every developer
Watch the Full Presentation
35 minutes of insights on signing
About the Speaker
John Kjell
Principal Consultant, ControlPlane
John Kjell is a respected voice in the open source security community, known for making complex security concepts accessible to developers. As a Principal Consultant at ControlPlane, he continues to lead open source initiatives and contribute to multiple projects in the software supply chain security space.
With extensive experience in cryptographic systems and developer tooling, John has been instrumental in driving adoption of modern signing practices. His work spans contributions to Sigstore, in-toto, and various CNCF projects.
John is passionate about developer experience and believes that security tools should enhance, not hinder, productivity. His talks are known for practical demonstrations and clear explanations that help developers implement security correctly.