Olivia
Online
SignPath.io
@SignPathIO
Code signing - simple & secure (and free for Open Source)
Joined July 2017
0 Following
52 Followers
28 Posts
@studio__aaa We put a support bot on weekend shift. Let's get those evil Okta spirits banned!
Cybernews interview with our CEO about code signing and how it relates to software supply chains and current cyber threats https://t.co/Q5174w20YT
More on Sunburst: what can we do to prevent this kind of supply chain attacks in the future? https://t.co/qrB0R30VFW
Reviews, secure build chains... and SignPath, maybe, to make sure reviews and security are in place before code signing.
Connecting build systems to HSMs is not enough, nor are specialized HSM proxies dressed up as code signing solutions. We need policy management & enforcement, airtight & verifiable integration from source code to build to signing. That's what we do. 4/4
Who to follow
Lizard Labs Software 
@lizardlabs
Generalist developer. 20+ yrs building tools with .NET, SQL Server, Azure, on-prem, modern & legacy tech. Founder: https://t.co/cH3zjW5gVs, https://t.co/euEmNorWM7
Pete Hazelberg
@PeteHazelberg
Dad, Software Geek, Build Software at Johnson Controls. Tweets are my own opinions.
Marco Rossignoli/@[email protected]
@MarcoRossignoli
GitHub CodeAI Eval@Microsoft CoreAI - Agents and LLMs evaluation systems, .NET Microsoft.Testing.Platform creator, former .NET Coverlet coverage co-maintainer
Most in-depth SunBurst analysis we've seen so far: https://t.co/4xvEfk4wDz
Build systems and code singing are primary targets for suply chain attacks, allowing hackers to "evade millions of dollars of security investment" at their eventual targets. 1/4
It has happend before, and we've been warned it would only get worse: https://t.co/Z45IsyjDc6 3/4
While SignPath can help with driver cross-signing, attestation *and* HLK signing, customers express concern about consequences of Microsoft dropping cross-signing for good https://t.co/rqvA5Ddf3N via @OSRDrivers /cc @vcsjones @clairernovotny
@matkoch87 @sforkmann @buhakmeh @PaketManager When autocorrect feels the need to remind you that you're German ;-)
@sforkmann @matkoch87 @buhakmeh @PaketManager Our if you find another cert sponsor, they can provide the cert through a free OSS SignPath subscription. It's then up to them to define policy, they'll be in charge of the cert anyway. After all, certs are less about the cost than the name you put on it.
@sforkmann @matkoch87 @buhakmeh @PaketManager Yes, for automatic build+release you'd have to split your build script: 1. build unsigned artifact and submit for signing, 2. upload for release (can be triggered by Webhook). That's what we need to automatically verify each build.
@natemcmaster @nuget Problem: policy mgmt is designed for enterprises, but b/c of huge share of @nuget projects, requires OSS prj buy-in. https://t.co/TmP4cTePOM aims to turn this around by offering real trust to OSS: signature connects the binary to the source repo, not just sbdy's reputation.
@clairernovotny @minter @shanselman Many thanks @clairnovotny! @minter: https://t.co/u34rNgiMUj is even a bit cheaper for multi-year certs + you don't get the mess that comes with reseller accounts. You might need an EV cert though: https://t.co/6J9bLR4pJU. No dongles when using https://t.co/TmP4cTePOM
@onovotny @vcsjones @IgorRussKie @migueldeicaza Association with Azure AD seems to be the most they do. No legal ID vetting afaik. (Know how they identify device driver publisher identities for portal signing via AAD? Make them show EV cert.) Even if they did, solution for OSS still required.
@onovotny @vcsjones @IgorRussKie @migueldeicaza Not on the level they require from CAs afaik, but could be wrong. Dev from my org had no trouble publishing in our name, verification never happened.
@onovotny @IgorRussKie @migueldeicaza @vcsjones Couldn't find it, asked around, all I heard was "it was mentioned in some CAB meeting"
@onovotny @IgorRussKie @migueldeicaza @vcsjones You've asked me before. 3 strikes is just a rumour so far.
@onovotny @IgorRussKie @migueldeicaza @vcsjones No, same publisher, individual certs (need to be able to revoke)
Last Seen Users on Sotwe
Trends for you
Most Popular Users
Elon Musk
@elonmusk
240.4M followers
Barack Obama
@barackobama
119.3M followers
Donald J. Trump
@realdonaldtrump
111.7M followers
Cristiano Ronaldo
@cristiano
110.2M followers
Narendra Modi
@narendramodi
107M followers
Rihanna
@rihanna
97.6M followers
NASA
@nasa
92.1M followers
Justin Bieber
@justinbieber
90.8M followers
KATY PERRY
@katyperry
87.4M followers
Taylor Swift
@taylorswift13
81.3M followers
Lady Gaga
@ladygaga
72.8M followers
Kim Kardashian
@kimkardashian
69.7M followers
Virat Kohli
@imvkohli
69.6M followers
YouTube
@youtube
68.7M followers
Bill Gates
@billgates
63.8M followers
The Ellen Show
@theellenshow
62.5M followers
Neymar Jr
@neymarjr
62.3M followers
CNN
@cnn
61.9M followers
X
@x
60.8M followers
Selena Gomez
@selenagomez
60.5M followers