If you work with source code, you probably care about its integrity. Signing an artifact like a file enables others to not only verify that it wasn't corrupted, but also figure out who authorized it. When used correctly, this information can protect against a range of supply-chain attacks.

In this workshop, you'll learn how to verify and sign artifacts, and manage certificates. (We won't cover encryption.) We'll use Sequoia, which is the OpenPGP implementation used by Fedora, RHEL, Debian and Ubuntu to authenticate packages.

We'll start by learning how to verify a file and discuss what it means to verify a signature. The focus will be not just on the steps, but understanding what they accomplish. We'll then move on to signing your own software. We'll generate a key, talk about how to protect it and how to get it to your users so they can verify your software. Finally, we'll configure git to sign commits and experiment with sq-git, a tool that helps manage a project's signing policy.