1

Assume I have an open-source github repo, and I offer paid services, using a solution in that repo.

Is there a way I can prove, that the online service really uses the code/release from that repo, without modifications/additions, etc?

Ideally, I am lookin for some form of cryptographic proof, not a "third-party review" or "bounty program". This is valuable, in case the nature of those services is secure, and each user would want to be able to review the code and ensure, that the specific, unchanged version of the code is powering the services. We can assume running a docker image inside AWS ECS or similar service, so that we avoid all platform-dependent differnces.

Rustem Mustafin
  • 957
  • 1
  • 11
  • 23

1 Answers1

2

It depends on what you mean by "prove". The Notary v2 project aims to extend the OCI specification to include cryptographic signatures of container images. This will allow the user of a container image to independently verify that a specific image was published by the holder of the private key (similar to how TLS certificates work with https). However, it seems like you are asking for the ability for end users of your service to also verify the software that you are running. You could share the signatures of the images, but unless you give your users access to the actual container orchestration system you are using there would be no way for them to know that you are running the images you claim to be running.

Nick C
  • 424
  • 3
  • 2
  • Sounds cool! It looks like if the container can get its own signature and publish it via an API, that would at least be close to what I imagined! Thanks for the answer. – Rustem Mustafin May 20 '21 at 20:56