Users can verify lineageOS-built software artifacts with sigstore (and someday, SLSA) manually and with the lineageos updater android app
(because sha256 without crytographic signatures is not good enough according to TUF, Sigstore, and SLSA)
[ ] Decide whether to start with SLSA, Sigstore, or just TUF
SLSA supports Sigstore
Sigstore depends on TUF to be verified itself
blockcerts/cert-verifier-js is another approach (built with W3C Verfiable Credentials and W3C DID Decentralized Identifier keys instead of OIDC OpenID Connect)
The CLIs, when used to sign a software artifact, basically run the following procedure:
1) Generate a disposable key pair
2) Obtain a customizable OIDC token (e.g., for a workflow, VM, or Gmail user)
3) Request a public-key certificate from Fulcio using the key pair and the token
4) Digitally sign (the hash of) the software artifact using the private key
5) Timestamp the signature using Rekor
6) Output the certificate, the digital signature from step 4, and the timestamp data from step 5
Then the authenticity of a software artifact can be verified offline with the following proofs:
a) The output from step 6
b) The root certificate of Fulcio
c) The public key that Rekor used to sign the timestamp data
The Rekor project provides a restful API based server for validation and a transparency log for storage. A CLI application is available to make and verify entries, query the transparency log for inclusion proof, integrity verification of the transparency log or retrieval of entries by either public key or artifact.
Users can verify lineageOS-built software artifacts with sigstore (and someday, SLSA) manually and with the lineageos updater android app (because sha256 without crytographic signatures is not good enough according to TUF, Sigstore, and SLSA)
TUF
TUF: The Update Framework
python-tuf
tuf-js
go-tuf
Sigstore
fulcio
rekor
cosign
sigstore-js
sigstore-java
sigstore-python
SLSA