1. Home
  2. /
  3. Use cases
  4. /
  5. Software Supply Chain security with Chainloop

Software Supply Chain Security with Chainloop

Do you trust the integrity of your containers? By using our joint solutions with Chainloop, you can further tighten your software supply chain with automation and extended signing functions.

hero-sub-2
Software supply Chain security

The Chainloop integration with EJBCA and SignServer

Chainloop is an open-source evidence store for managing software supply chain metadata, including SBOMs, VEX, SARIF files, and other key file types. Companies rely on this metadata to make deployment decisions, driven by security goals or regulations. Signing metadata is crucial to safeguard artifact integrity and verifying signer identity. SignServer and EJBCA integrate with Chainloop to provide enterprise-grade signing and PKI capabilities for enhanced protection and compliance. 

How to get started

Integrating Chainloop with EJBCA and SignServer provides a solution that generates in-toto attestations signed with SignServer and EJBCA, which are then stored in an OCI registry. 

Two integration options are available: 

This workshop Securing the Software Supply Chain featuring Chainloop was recorded at the Keyfactor Community Tech Meetup in 2024. It covers an introduction to software supply chain security, an overview of our integrations, and a demo of those integrations. 

Tutorials/documentation

Documentation

To learn more about the SignServer integration and examples, please refer to the How-to guide: Use Keyfactor SignServer for attestation signing.

Documentation

To learn more about the EJBCA integration and examples, please refer to the How-to guide: Use Keyfactor EJBCA to generate ephemeral signing certificates.

YouTube

You can watch the workshop video on YouTube along with a few other videos here

Blog 

Read more about our integrations in this blog post.

Related open-source projects