Keyfactor is thrilled to announce a new partnership with Chainloop, a leader in software supply chain security. Together, Chainloop and Keyfactor offer an integrated solution to help enterprises build and deliver trusted software faster.
Software supply chain attacks have become increasingly common, and complex, as malicious actors seek to exploit weaknesses at every stage in the software development and delivery lifecycle. However, protecting the entire DevOps toolchain and code throughout application environments is a monumental task for IT operations and security teams. In the game of speed versus security, speed often wins at the cost of increased risk.
From code development, testing, packaging, and distribution, information about what and how the software is built is generated at each step – also known as metadata. This metadata extends well beyond a Software Bill of Materials (SBOM), including QA tests and reports, CVE scans, legal and architecture reviews, and so on.
Companies rely on metadata to make critical decisions around security and compliance, but if this metadata is tampered or compromised, serious consequences can follow. That’s where Keyfactor and Chainloop come into play.
Chainloop delivers a single platform to store, attest, and distribute metadata, while Keyfactor ensures that all attestations and artifacts in Chainloop are digitally signed and verified.
This integration is available in two different flavours using Keyfactor’s EJBCA and SignServer solutions. SignServer enables teams to remotely sign attestation payloads before they are sent to Chainloop for storage, ensuring they have not been tampered or modified after signing. Additionally, EJBCA can be configured to generate short-lived signing certificates to locally sign artifacts and attestation payloads.
By bringing together leading PKI and signing solutions with the Chainloop Control Plane for Trusted Software Delivery, application and operations teams can move fast, while security teams can implement robust policies across their entire software supply chain.
To learn more about the integration and how it works, check out the in-depth blog post on “Securing the Software Supply Chain with SignServer, EJBCA, and Chainloop: A Comprehensive Guide.”
