|
|
|
|
|
|
by peterwwillis
2939 days ago
|
|
|
I haven't actually done cryptographically signed continuously released applications before. I was just thinking about how it should work, and it seems a little complicated. I'm not sure how to safely sign the build. 1) You have to sign your code, obviously. If the code isn't signed, none of the resulting build artifacts can be trusted, because where did the code come from? 2) Once your code is signed, you can run a build on verified-only code artifacts, which can produce a build artifact. But if the server doing the build is compromised, you can just put anything at all in the built artifact before it's signed. Sure, you had signed code, but if I can inject my own code into the compiler (or whatever) or just take over the build process and give it my own code, then I can make any kind of build artifact I want. The only way I can think to "confirm" this build artifact is genuine is to get multiple hosts to independently build the artifact identically and compare them. So you have to have reproducible builds. Which I don't think many people have. So, what part of the pipeline am I missing? |
|
|
This is an excellent idea, and has been done for Bitcoin and other projects: https://github.com/devrandom/gitian-builder It's probably troublesome to setup for a new project of significant size.