Explore the critical aspects of securing the software supply chain in this 20-minute conference talk. Learn about the in-toto and SPIRE projects, and their role in addressing current gaps in open-source ecosystems. Discover how to implement a cryptographically attestable software pipeline with automated certificate issuance. Delve into topics such as Zero Trust Architecture, CICD Pipeline, and Evidence-based Trust. Gain insights into SPIRE's functionality and witness a practical demonstration. This presentation, delivered by Cole Kennedy and Mikhail Swift from BoxBoat Technologies at KubeCon + CloudNativeCon North America 2021, offers valuable knowledge for developers and end-users of CNCF-hosted projects like Kubernetes, Prometheus, and Envoy.