Skip to content

Codechain — code trust through hash chains

License

Notifications You must be signed in to change notification settings

webboot/codechain

 
 

Repository files navigation

Codechain — code trust through hash chains

Logo

GoDoc Build Status Go Report Card

In code we trust: Secure multiparty code reviews with signatures and hash chains.

The most common signing mechanism for open-source software is using GPG signatures. For example, GPG is used to sign Git commits and Debian packages. There is no built-in mechanism for key rotation and key compromise. And if forced to, a single developer can subvert all machines which trust the corresponding GPG key.

That's where the Codechain tool comes in. It establishes code trust via multi-party reviews recorded in unmodifiable hash chains.

Codechain allows to only publish code that has been reviewed by a preconfigured set of reviewers. The signing keys can be rotated and the reviewer set flexibly changed.

Every published code state is uniquely identified by a deterministic source tree hash stored in the hash chain, signed by a single responsible developer.

Codechain uses files to store the hash chain, not a distributed "blockchain".

Installation

Bootstrapping

To install a trusted Codechain version that can be updated in a trusted way you have to boostrap it.

Developer version

To install the latest developer version (not recommended):

go get -u -v github.com/frankbraun/codechain/...

(How to install Go. Add $GOPATH/bin to your $PATH.)

Config directories

codechain uses the following config directories:

  • POSIX (Linux/BSD): ~/.config/codechain
  • Mac OS: $HOME/Library/Application Support/Codechain
  • Windows: %LOCALAPPDATA%\Codechain
  • Plan 9: $home/Codechain

secpkg and ssotpub use accordingly named directories.

Features

Codechain depends on the git binary (for git diff), but that's optional.

Out of scope

  • Source code management. Git and other VCS systems are good for that, Codechain can be used alongside them and solves a different problem.
  • Code distribution (minimal support is provided via codechain createdist and codechain apply -f).
  • Reproducible builds.

Documentation

Acknowledgments

Codechain has been heavily influenced by discussions with Jonathan Logan of Cryptohippie, Inc. Many thanks to Michael Parenti for the logo.

About

Codechain — code trust through hash chains

Resources

License

Stars

Watchers

Forks

Packages

No packages published

Languages

  • Go 99.3%
  • Other 0.7%