2025年8月10日 –, TR210
How can we be sure the open-source software we rely on hasn't been tampered with, or that critical internet infrastructure is behaving as expected? This talk introduces the fundamentals of transparency logs: accurate, immutable, publicly verifiable data. Building with tamper-evident logs means that you can cryptographically prove that the data hasn’t been unexpectedly changed.
We will discuss how this technology, famously used in Certificate Transparency, can be broadly applied to secure the open-source software supply chain with Sigstore, and Android Pixel binary transparency.
To illustrate these concepts, this talk also introduces Trillian Tessera, an open-source Go library for building tile-based transparency logs using these standard formats on both major cloud and on-premises infrastructure, together with TesseraCT, a readily deployable open-source solution for Certificate Transparency using Trillian Tessera.
Attendees will gain insights into a lightweight yet powerful library for building their own reliable and easily maintainable transparency solutions. We will showcase a concrete example of its application.
No background knowledge required.
Developer with Go experience, anyone interested in open source security, anyone interested to contribute to Go open source project, anyone interested in transparency ecosystem
難易度:初學者
- Certificate Transparency: An ecosystem that makes the issuance of website certificates transparent and verifiable.
- Android Pixel Binary Transparency
- TesseraCT: Tile-based Static Certificate Transparency API Log
- Trillian Tessera: Go library for building tile-based transparency logs
- An open-source append only ledger: Trust your data with a tamper-evident log
- Sigstore: Making sure your software is what it claims to be.
Roger Ng is a software engineer at Google based in London, United Kingdom. He mainly works on Certificate Transparency and transparency logs in Google Open Source Security Team.