Do you trust the integrity of your containers? By using our joint solutions with Chainloop, you can further tighten your software supply chain with automation and extended signing functions.
Chainloop is an open-source evidence store for managing software supply chain metadata, including SBOMs, VEX, SARIF files, and other key file types. Companies rely on this metadata to make deployment decisions, driven by security goals or regulations. Signing metadata is crucial to safeguard artifact integrity and verifying signer identity. SignServer and EJBCA integrate with Chainloop to provide enterprise-grade signing and PKI capabilities for enhanced protection and compliance.
Integrating Chainloop with EJBCA and SignServer provides a solution that generates in-toto attestations signed with SignServer and EJBCA, which are then stored in an OCI registry.
Two integration options are available:
This workshop Securing the Software Supply Chain featuring Chainloop was recorded at the Keyfactor Community Tech Meetup in 2024. It covers an introduction to software supply chain security, an overview of our integrations, and a demo of those integrations.
To learn more about the SignServer integration and examples, please refer to the How-to guide: Use Keyfactor SignServer for attestation signing.
To learn more about the EJBCA integration and examples, please refer to the How-to guide: Use Keyfactor EJBCA to generate ephemeral signing certificates.
You can watch the workshop video on YouTube along with a few other videos here
Read more about our integrations in this blog post.