1 views collected around this technical thread.
The article explains software supply chain security by describing how source code becomes artifacts, the role of hashes and digital signatures, and how frameworks like SLSA and Sigstore provide attestations and trusted signing to ensure provenance and protect against tampering.
This article explains how to generate and verify software artifact provenance with the Witness framework in non‑GitHub ecosystems, covering installation, key creation, configuration, running, signing, and policy verification to achieve higher SLSA levels.
This article demonstrates how to apply the SLSA (Supply chain Levels for Software Artifacts) framework to the Python ecosystem by building clean packages, generating provenance statements, uploading them to PyPI, and verifying the package origin using GitHub Actions and the slsa‑verifier tool.
This article translates Google's SLSA framework paper, explaining software supply chain threats, the four SLSA levels, mitigation strategies, a provenance generation example, and concluding with its impact on software security, while also noting related DevOps certification offerings.