BEGIN:VCALENDAR
VERSION:2.0
PRODID:-//pretalx//pretalx.devconf.info//devconf-cz-2026//talk//XMYGSJ
BEGIN:VTIMEZONE
TZID:CET
BEGIN:STANDARD
DTSTART:20001029T040000
RRULE:FREQ=YEARLY;BYDAY=-1SU;BYMONTH=10
TZNAME:CET
TZOFFSETFROM:+0200
TZOFFSETTO:+0100
END:STANDARD
BEGIN:DAYLIGHT
DTSTART:20000326T030000
RRULE:FREQ=YEARLY;BYDAY=-1SU;BYMONTH=3
TZNAME:CEST
TZOFFSETFROM:+0100
TZOFFSETTO:+0200
END:DAYLIGHT
END:VTIMEZONE
BEGIN:VEVENT
UID:pretalx-devconf-cz-2026-XMYGSJ@pretalx.devconf.info
DTSTART;TZID=CET:20260618T140000
DTEND;TZID=CET:20260618T152000
DESCRIPTION:If you work with source code\, you probably care about its inte
 grity. Signing an artifact like a file enables others to not only verify t
 hat it wasn't corrupted\, but also figure out who authorized it. When used
  correctly\, this information can protect against a range of supply-chain 
 attacks.\n\nIn this workshop\, you'll learn how to verify and sign artifac
 ts\, and manage certificates. (We won't cover encryption.) We'll use Sequo
 ia\, which is the OpenPGP implementation used by Fedora\, RHEL\, Debian an
 d Ubuntu to authenticate packages.\n\nWe'll start by learning how to verif
 y a file and discuss what it means to verify a signature. The focus will b
 e not just on the steps\, but understanding what they accomplish. We'll th
 en move on to signing your own software. We'll generate a key\, talk about
  how to protect it and how to get it to your users so they can verify your
  software. Finally\, we'll configure git to sign commits and experiment wi
 th sq-git\, a tool that helps manage a project's signing policy.
DTSTAMP:20260430T131300Z
LOCATION:A218 (capacity 20)
SUMMARY:Verifying and Signing Artifacts with Sequoia PGP - Neal H. Walfield
URL:https://pretalx.devconf.info/devconf-cz-2026/talk/XMYGSJ/
END:VEVENT
END:VCALENDAR