Documentation index

Sharing certifications

How could users gain trust that a build has not been compromised by exchanging certifications attesting that they all have been able to get the same build results?

Debian is thinking of allowing multiple Debian Developers to upload signatures attesting that they have been able to reproduce a build.

The question is also related to the work lead by Ben Laurie on binary transparency. The idea is to have an append-only log similar to Certificate Transparency which could be used to authenticate binaries.

More research is required in this area to make reproducible builds more effective in detecting compromise early.

Documentation index

Follow us on Twitter @ReproBuilds, Mastodon & Reddit and please consider making a donation. • Content licensed under CC BY-SA 4.0, style licensed under MIT. Templates and styles based on the Tor Styleguide. Logos and trademarks belong to their respective owners. • Patches for this website welcome via our Git repository (instructions) or via our mailing list. • Full contact info