New
Warhacker Applications Are Open. Join Us…
Contact us
Start Free
May-18-2026

Open Source Summit and Embedded Linux Conference

Minneapolis, MN

Brandt Keller

Monday, May 18 | 1:30 PM CDT

One Signature to Rule Them All:

Signed software creates assurances around the integrity and authenticity of how it was produced and by whom. But signing alone is not inherently valuable. The ability to verify the signature in a meaningful way elevates the process to complete the trust cycle.

Blend this idea with many disparate signing mechanisms, add the many layers of exchange as software changes hands and where the software ultimately needs to resolve verification, combine it with many different types of artifacts, and you end up with a complex web of requirements that can be difficult to maintain.

Zarf, an OpenSSF Sandbox project, takes a different approach. Rather than requiring each artifact to be independently verified against external infrastructure, Zarf consolidates artifacts into a declarative package that is pre-verified at creation time. A single signature covers the entire package. The trusted root is embedded in the CLI and the package contains the signature, enabling meaningful verification anywhere, including entirely airgapped environments, with no external connectivity or additional tooling required.

Austin Abro

Wednesday, May 20 | 11:55am CDT

OCI Images: Not Just for Containers Anymore

Docker popularized the container; OCI standardized the artifact. That shift, from a specific format to a global specification, is what allowed us to expand beyond just ‘running apps.’ Now, whether it’s Cosign for security, OpenTofu for infrastructure, or Zarf for air-gapped distribution, the ecosystem is leveraging a common foundation to solve complex supply chain problems. Additionally, Kubernetes’ recent work on OCI read-only volumes signifies a paradigm shift: we are now using images as a pure data transfer mechanism rather than just a runtime environment. Yet the elegant design that enables the OCI images is mostly hidden from users.

In this session, we’ll create our own custom OCI artifact from scratch. Along the way, we’ll learn the benefits of the OCI specification: the efficiency of its storage model, its simple cross-platform experience, and its secure-by-default design. Developers will walk away with a starting point for packaging their own custom artifacts, while practitioners will gain a deeper understanding of the OCI artifacts powering their workflows.