Secure Download and Builds (cryptographic authenticity checks with pinned keys)

[maltfield]

Feature request: please provide a way for people to securely download the source and dependencies.

Problem

Currently there is no (documented) way to download the latest version of this software safely. After download, it should be possible to check the cryptographic authenticity of the code in a way that doesn't rely on the integrity of the infrastructure provider (eg GitHub) and instead whoose cryptographic authenticty and integrity checks utilize a single pinned code signing key that's kept in cold storage by the development or release team.

Solution

A few things should be done:

1. All commits should be cryptographically signed using developer's PGP keys
2. The repo should be configured such that any unsigned commits are rejected
3. Documentation should be written telling the user how to confirm the authenticity and integrity of commits using git and gpg

Why

For a short list of historically relevant cases showing why this is important, see:

• https://github.com/cncf/tag-security/tree/main/supply-chain-security/compromises

[kristelmerilain]

Thank you for the feedback. I will close this issue since the active development and management of the Firefox PKCS11 Loader component has ended due to the transition to the OpenSC pkcs11-register tool.