Secure Publication of Datadog Agent Integrations with TUF and in-toto

The text discusses a challenge faced by developers at Datadog: ensuring end-to-end security when using automation to build, sign, and publish software integrations. To address this issue, the company uses two key technologies - The Update Framework (TUF) and in-toto. TUF is used for signing new integrations while in-toto guarantees that the CI/CD system packaged exactly the source code that one of their developers signed. These technologies are integrated to protect the authenticity and integrity of Agent integrations, from the moment that developers commit source code, to the point that end-users install them as packages. The four steps of the Datadog Agent integrations supply chain ensure end-to-end verification by only trusting wheels containing source code released by Datadog developers. TUF also provides a compromise-resilient mechanism for securely distributing, revoking, and replacing public keys used to verify the supply chain. Developers sign integrations using hardware keys (Yubikeys), which are trusted and support on-card generation and storage of GPG signing keys. The Agent transparently calls TUF and in-toto libraries on behalf of customers for installation or update of integrations, providing a seamless user experience while ensuring security.