search

crev-dev / cargo-crev

A cryptographically verifiable code review system for the cargo (Rust) package manager.
Apache License 2.0
2.07k stars 86 forks source link

Release GPG-signed binary #563

Open Kixunil opened 1 year ago

Kixunil commented 1 year ago

This is basically a replacement of #537

To avoid cargo-crev itself being compromised it'd be helpful for a few independent developers to sign its, deterministically-built, binary and publish it with release. This also bypasses the problem of getting the newest Rust from trusted source (assuming the maintainers did).

GPG is widely-used, understood and available in distros so I think it's the best choice. The keys can be distributed via keybase or other independent channels.

aikooo7 commented 9 months ago

I agree with the idea, if the team wants to, they can do something like tails team does that is share a key with a selected member of members using for example Shamir's_secret_sharing and having backup people.

Kixunil commented 9 months ago

@aikooo7 SSSS is not really suitable for this. Just make multiple signatures so that we can avoid problems if one of the signing machines is compromised.