The most common signing mechanism for open-source software is using GPG signatures. For example, GPG is used to sign Git commits and Debian packages. There is no built-in mechanism for key rotation and key compromise. And if forced to, a single developer can subvert all machines which trust the corresponding GPG key.
That's where the Codechain tool comes in. It establishes code trust via multi-party reviews recorded in unmodifiable hash chains.
Codechain allows to only publish code that has been reviewed by a preconfigured set of reviewers. The signing keys can be rotated and the reviewer set flexibly changed.
Every published code state is uniquely identified by a deterministic source tree hash stored in the hash chain, signed by a single responsible developer.
Codechain uses files to store the hash chain, not a distributed "blockchain".
To install a trusted Codechain version that can be updated in a trusted way you have to bootstrap it.
To install the latest developer version (not recommended):
go get -u -v github.com/frankbraun/codechain/...
(How to install Go. Add $GOPATH/bin
to your $PATH
.)
codechain
uses the following config directories:
- POSIX (Linux/BSD):
~/.config/codechain
- Mac OS:
$HOME/Library/Application Support/Codechain
- Windows:
%LOCALAPPDATA%\Codechain
- Plan 9:
$home/Codechain
secpkg
and ssotpub
use accordingly named directories.
- Minimal code base, Go only, cross-platform.
- Single source of truth (SSOT) with DNS
Codechain depends on the git
binary (for git diff
), but that's optional.
- Source code management. Git and other VCS systems are good for that, Codechain can be used alongside them and solves a different problem.
- Code distribution (minimal support is provided via
codechain createdist
andcodechain apply -f
). - Reproducible builds.
- Walkthrough
- Presentation about Codechain
- Directory tree hashes and lists
- Hash chain file format
- Patchfile format
- SSOT with DNS TXT records
- Secure packages (
.secpkg
files)
Codechain has been heavily influenced by discussions with Jonathan Logan of Cryptohippie, Inc. Many thanks to Michael Parenti for the logo.