As federal mandates like EO 14028 and OMB M-22-18 redefine software integrity, agencies face a critical challenge: how to implement "Zero Trust" without paralyzing the development lifecycle. This session provides a strategic and technical blueprint for modernizing the Linux supply chain in a highly regulated environment.

Drawing on the dual perspectives of a PM and a DevSecOps Technical Advisor, we explore the transition from legacy, manual GPG management to automated, keyless attestation using Sigstore (Cosign/Rekor). We dive into "Day 2" operational realities:
https://github.com/saisravan909/fed-sigstore-blueprint-zero-trust-linux
Policy-as-Code: Translating NIST SSDF into automated controllers (Kyverno) to enforce signature verification.

Identity over Keys: Leveraging OIDC and federal providers (PIV/CAC) to eliminate "key debt."

Auditable Integrity: Using the Rekor transparency ledger as a tamper-proof "Source of Truth" for audits and procurement.

Blueprint for Scale: Navigating friction when moving to a cryptographically verified "Verify-Before-Deploy" architecture.

Attendees will gain a framework for aligning open-source innovation with federal compliance to ensure security enhances mission delivery.