4

Let’s say we have some open source project at GitHub with its source code. I want to deploy it to some server and let people access some informative page/tool/whatever that informs in some trustworthy way that effectively what it was deploy to the server was exactly the code that is in the repository.

Is there something that can help with this? Maybe an open source tool like Travis-CI that can help verify that a deploy was done using the latest code from X branch? Or perhaps there is a known way to do this using some kind of checksum for a deployable source code?

Any help/guidance would be much appreciated.

leog
  • 778
  • 10
  • 15

1 Answers1

-1

This is a build issue: you need to be able to include in your compiled delivery the checksum which shows from which sources said deliverable has been compiled.

It depends on your compilation language.

Go, for instance, would use build flags (as in this example):

go build -i -v -ldflags="-X main.version=$(git describe --always --long --dirty)" github.com/MyUserName/MyProject

Travis-CI would use the same ldflags, but with a fixed value.

This example simply add the Git commit as a flag.

script:
  - go get -t -v ./...
  - diff -u <(echo -n) <(gofmt -d .)
  - go vet $(go list ./... | grep -v /vendor/)
  - go test -v -race ./...
  # Only build binaries from the latest Go release.
  - if [ "${LATEST}" = "true" ]; then gox -os="linux darwin windows" \
      -arch="amd64" -output="logshare.." \
      -ldflags "-X main.Rev=`git rev-parse --short HEAD`" -verbose ./...; fi

Again, this is a build step, before the deployment step.
And it is illustrated for Go, but the idea remain for any other language.

At runtime, the program is able to display its version, and let the user know of the GitHub reference: they can check that reference is the one used for the build.

Alternative approach: signing a docker image

Then your Travis-CI could apply that on build stages for sharing that image.
But you will need to manage the Docker Content Trust (DCT) keys.

VonC
  • 1,262,500
  • 529
  • 4,410
  • 5,250
  • Thanks for the answer VonC. Seems like you went for the checksum solution, which will mean a lot of extra work. I was hoping to get information about a tool that could certificate through a trusted party, which could be someone from the organization in charge of the repository, that the exposed code does correspond to the latest code. Searching a little bit more I found trusted images from Docker, anyone have more detailed information about using that approach? – leog Apr 23 '19 at 23:49
  • @leog I have updated the answer to include that alternative approach, but it seems to involve quite a bit of work too. – VonC Apr 24 '19 at 06:51