frankbraun / codechain

Codechain — code trust through hash chains
The Unlicense
46 stars 11 forks source link

Codechain — code trust through hash chains

Logo

GoDoc Build Status Go Report Card

In code we trust: Secure multiparty code reviews with signatures and hash chains.

The most common signing mechanism for open-source software is using GPG signatures. For example, GPG is used to sign Git commits and Debian packages. There is no built-in mechanism for key rotation and key compromise. And if forced to, a single developer can subvert all machines which trust the corresponding GPG key.

That's where the Codechain tool comes in. It establishes code trust via multi-party reviews recorded in unmodifiable hash chains.

Codechain allows to only publish code that has been reviewed by a preconfigured set of reviewers. The signing keys can be rotated and the reviewer set flexibly changed.

Every published code state is uniquely identified by a deterministic source tree hash stored in the hash chain, signed by a single responsible developer.

Codechain uses files to store the hash chain, not a distributed "blockchain".

Installation

Bootstrapping

To install a trusted Codechain version that can be updated in a trusted way you have to bootstrap it.

Developer version

To install the latest developer version (not recommended):

go get -u -v github.com/frankbraun/codechain/...

(How to install Go. Add $GOPATH/bin to your $PATH.)

Config directories

codechain uses the following config directories:

secpkg and ssotpub use accordingly named directories.

Features

Codechain depends on the git binary (for git diff), but that's optional.

Out of scope

Documentation

Acknowledgments

Codechain has been heavily influenced by discussions with Jonathan Logan of Cryptohippie, Inc. Many thanks to Michael Parenti for the logo.