> I think mentioning sigstore is value. Reproducible builds let you verify that > a given build *is* generated from a given source; sigstore can let you > verify that you got the *correct* source or build.
I think mentioning sigstore is a good idea (Full disclosure, I'm involved in the effort), and I think it's somewhat of a natural consequence to the work that Benjamin Hof[1] and Morten Linderud[2] (both of them involved in this very community) started talking about. However, I don't think that "sigstore can let you verify that you got the *correct* source or build" is a correct way to frame things. For that, you would need something like in-toto (so as to verify that the source used is the same, that the output is the same, and that a threshold of builders agree on the result of the operation). Sigstore is useful in answering questions about artifact discovery (i.e., to provide a log of the existing artifacts), when they appeared and to remove equivocation about an artifact being published. It in fact provides a pluggable type backend (early on, it was only in-toto attestations) so that you can upload different types of attestations about a software artifact. This way, you can upload signatures for artifacts that are cross-ecosystems. Ideally, you can achieve a more global notion about the state of the software supply chain this way. Do notice that verification is not part of the user story yet (i.e., anybody can claim to own any artifact). Cheers! -Santiago [1] https://arxiv.org/abs/1711.07278 [2] https://bora.uib.no/bora-xmlui/handle/1956/20411 > > --- David A. Wheeler >
signature.asc
Description: PGP signature