@heals@lemmy.ml avatar

heals

@[email protected]

☙ Heals
☙ hobby artist, code witch & variety streamer
☙ part-time pineapple
☙ 36, ♒️♒️♎️, enby/GF, INFP

This profile is from a federated server and may be incomplete. Browse more on the original instance.

How can I prove that a downloadable executable is built from the published source?

I have forked a project’s source code on GitHub. The program takes a private key as an input and that key must never leave the client. If I want to share a pre-built executable as a release it is essential that I can prove beyond reasonable doubt that it is built from the published source....

heals,
@heals@lemmy.ml avatar

Github doesn’t do any signing at all nor do they rally care about the actual output of actions, pipelines or manual releases (all of that is out of their interest scope).

If there’s any means of a ‘secret store’ for the build actions then you could store a keypair for signing the binaries as far as your target binary format and platforms support it (or go for something like a detached gpg-signature that can be stored with the build or in a central ‘trusted’ repository so the binary can be verified against it later).

You users however would still have no easy means to verify that signature on most platforms unless they are tech-savvy. (macOS code signing / notarization and gatekeeper check would be an example of a platform that would notify users and even fail to run the binary if it was tampered with).

  • All
  • Subscribed
  • Moderated
  • Favorites
  • random
  • uselessserver093
  • Food
  • aaaaaaacccccccce
  • test
  • CafeMeta
  • testmag
  • MUD
  • RhythmGameZone
  • RSS
  • dabs
  • KamenRider
  • Ask_kbincafe
  • TheResearchGuardian
  • KbinCafe
  • Socialism
  • oklahoma
  • SuperSentai
  • feritale
  • All magazines
    •