patternMinor
Validating release artifact provinence
Viewed 0 times
provinencereleaseartifactvalidating
Problem
While this question could be posed in a vendor agnostic fashion - I'll gear it around Github and Azure to give it some context.
I am planning an open-source project, in a sensitive business domain (banking). As such, I feel it would be important for users who download and install it to be able to verify the provenance of the binary - through some kind of independently tracked "chain of custody" - tracing it back to the actual source code label that the CI process consumed.
How is this currently achieved? If at all? Are there any known mechanisms/practices for this?
What I imagine, is a publicly visible landing page in Azure DevOps, hosted by Microsoft (unable to tampered by anyone, not even the project owner) - which maps the installation binary hash to the source control label thumbprint. This would allow the user to trust that the binary in their possession is guaranteed to be the product of the code they are auditing.
I am planning an open-source project, in a sensitive business domain (banking). As such, I feel it would be important for users who download and install it to be able to verify the provenance of the binary - through some kind of independently tracked "chain of custody" - tracing it back to the actual source code label that the CI process consumed.
How is this currently achieved? If at all? Are there any known mechanisms/practices for this?
What I imagine, is a publicly visible landing page in Azure DevOps, hosted by Microsoft (unable to tampered by anyone, not even the project owner) - which maps the installation binary hash to the source control label thumbprint. This would allow the user to trust that the binary in their possession is guaranteed to be the product of the code they are auditing.
Solution
You have 2 questions here that likely need two different answers. Luckily, both are solved problems!
-
How to prove the provenance of code?. - this is done with what's called Code Signing. Azure DevOps has tools for this - KeyVault and Pipelines can both do it, I suspect there are others.
-
How to prove that a package contains the code it's supposed to contain?. The best and most predictable way to do this is likely with an MD5 checksum.
-
How to prove the provenance of code?. - this is done with what's called Code Signing. Azure DevOps has tools for this - KeyVault and Pipelines can both do it, I suspect there are others.
-
How to prove that a package contains the code it's supposed to contain?. The best and most predictable way to do this is likely with an MD5 checksum.
Context
StackExchange DevOps Q#6880, answer score: 1
Revisions (0)
No revisions yet.