Sign deployments with AppVeyor key - reopen
Hello,
I found this previous post about possibly signing deployments with an AppVeyor key, so that users can verify that what they download (through Github releases or similar) was actually built by AppVeyor.
My problem is that I see the compiled code hosted somewhere (Github releases, in this case), and want to confirm there's nothing malicious by reviewing the code for it myself. Doing this would not do me any good, though, because I don't know for sure that the code uploaded to Github releases came from the source code. I can see that AppVeyor built a specific version of the code, but I don't know if that built artifact is the one I'm downloading.
If the code is simply signed by a generic AppVeyor key, of course I do not have any proof that it was from a specific build or commit. Here are a few ways I would see the problem being solved:
- AppVeyor simply displays the sha256sum of the built artifacts (even after the content has expired and been purged) -- I could then match this with what I'm downloading from Github releases.
- AppVeyor signs the artifact (creating a .sig file, like suggested in the previous post) using an app-specific key known only to AppVeyor (and out of reach of the user-defined build process). As a consumer of the software, I could then grab the public key for that app/pipeline/repo, and use it to verify that it is the code I want.
- AppVeyor provides SLSA/in-toto attestations to cryptographically attest that the artifact came from the repo/commit. It could use a single private key for all apps/repos in this case.
I tried to find if AppVeyor already has something that would help in this situation, and so far have not found it, so am wondering if there is something like this available that I haven't found, or else, if it has been discussed or could potentially be a feature of the product in the future.
For reference, I'm wanting to use the software "git-tfs", and I made an issue there to potentially have them log out the hash in the build, but it would be so much more convenient if I could just verify the artifact and not rely on internet services.
Keyboard shortcuts
Generic
? | Show this help |
---|---|
ESC | Blurs the current field |
Comment Form
r | Focus the comment reply box |
---|---|
^ + ↩ | Submit the comment |
You can use Command ⌘
instead of Control ^
on Mac