this post was submitted on 13 Aug 2023
76 points (96.3% liked)

Open Source

31385 readers
189 users here now

All about open source! Feel free to ask questions, and share news, and interesting stuff!

Useful Links

Rules

Related Communities

Community icon from opensource.org, but we are not affiliated with them.

founded 5 years ago
MODERATORS
 

I have forked a project's source code on GitHub. The program takes a private key as an input and that key must never leave the client. If I want to share a pre-built executable as a release it is essential that I can prove beyond reasonable doubt that it is built from the published source.

I have learned about how to publish the releases by using a Workflow in the GitHub actions such that GitHub itself will build the project and then repare a release draft with the built files as well as the file hashes..

However, I noticed that the release is first drafted, and at that point I have the option to manually swap the executable and the hashes. As far as I can tell, a user will not be able to tell if I swapped a file and its corresponding hashes. Or, is there a way to tell?

One potential solution that I have found is that I can pipe the output of the hashing both to a file that is stored and also to the publicly visible logs by using "tee". This will make it such that someone can look through the logs of the build process and confirm that the hashes match the hashes published in the release.

Like this:

I would like to know whether:

  • There is already some built-in method to confirm that a file is the product of a GitHub workflow

  • The Github Action logs can easily be tampered by the repo owner, and the hashes in the logs can be swapped, such that my approach is still not good enough evidence

  • If there is another, perhaps more standard method, to prove that the executable is built from a specific source code.

you are viewing a single comment's thread
view the rest of the comments
[–] jet@hackertalks.com 26 points 1 year ago* (last edited 1 year ago) (1 children)

Reproducible builds. And then multiple parties to confirm the build. So a reproducible build and then f Droid to build the product would allow people to have confidence that they have the right thing. But if people are truly concerned about security they should build it from the source directly and then verify that signature against your reproducible build

[–] max@nano.garden 2 points 1 year ago* (last edited 1 year ago) (1 children)

Thanks! I am convinced now, I will learn how to create reproducible builds.

My worry is that the build is run through npm, and I think that the dependencies rely on additional dependencies such as openssl libraries. I worry that it will be a lot of work to figure out what every npm dependency is, what libraries they depend on, and how to make sure that the correct versions can be installed and linked by someone trying to reproduce the build 10 years from now. So it looks like a difficult project, but I will read more about it and hopefully it is not as complicated as it looks!

[–] jet@hackertalks.com 2 points 1 year ago (1 children)

there are some excellent blogs/articles and books on it. Basically your entire build chain has to be tooled for reproducibility, so things like Rust are very good as a foundation.

[–] max@nano.garden 2 points 1 year ago

Ooh, I did not know this one was of the properties of Rust.