Software provenance has become crucial for organizations aiming to secure supply chains against tampering and comply with standards like SLSA. Incidents such as SolarWinds highlight the risks of compromised build processes. In response, regulatory measures like Executive Order 14028 in the U.S. and Europe's Cyber Resilience Act mandate verifiable software provenance. Tools like Sigstore and in-toto have influenced industry approaches, with Sigstore focusing on cryptographic signing and in-toto securing the build pipeline. HashiCorp's Packer captures build metadata and generates Software Bill of Materials (SBOM), aiding compliance efforts.
Software provenance is gaining new importance as organizations look for ways to secure their supply chains against tampering and comply with emerging standards like SLSA.
Regulators have responded: in the U.S., Executive Order 14028 requires federal software suppliers to provide verifiable provenance, while Europe's Cyber Resilience Act imposes similar obligations.
Two open source projects have shaped how the industry approaches provenance: Sigstore provides cryptographic signing and transparency infrastructure, while in-toto secures the entire pipeline by generating signed attestations.
HashiCorp's Packer has long included metadata capture and more recently added SBOM generation, emphasizing that HCP Packer can give teams a start on compliance out of the box.
Collection
[
|
...
]