Categorygithub.com/frankbraun/codechain
modulepackage
1.2.0
Repository: https://github.com/frankbraun/codechain.git
Documentation: pkg.go.dev
Overview
Versions
1
Dependencies
5
Dependents
0
Files
70 SLOC

# README

Codechain — code trust through hash chains

Logo

GoDoc Build Status Go Report Card

In code we trust: Secure multiparty code reviews with signatures and hash chains.

The most common signing mechanism for open-source software is using GPG signatures. For example, GPG is used to sign Git commits and Debian packages. There is no built-in mechanism for key rotation and key compromise. And if forced to, a single developer can subvert all machines which trust the corresponding GPG key.

That's where the Codechain tool comes in. It establishes code trust via multi-party reviews recorded in unmodifiable hash chains.

Codechain allows to only publish code that has been reviewed by a preconfigured set of reviewers. The signing keys can be rotated and the reviewer set flexibly changed.

Every published code state is uniquely identified by a deterministic source tree hash stored in the hash chain, signed by a single responsible developer.

Codechain uses files to store the hash chain, not a distributed "blockchain".

Installation

Bootstrapping

To install a trusted Codechain version that can be updated in a trusted way you have to boostrap it.

Developer version

To install the latest developer version (not recommended):

go get -u -v github.com/frankbraun/codechain/...

(How to install Go. Add $GOPATH/bin to your $PATH.)

Config directories

codechain uses the following config directories:

  • POSIX (Linux/BSD): ~/.config/codechain
  • Mac OS: $HOME/Library/Application Support/Codechain
  • Windows: %LOCALAPPDATA%\Codechain
  • Plan 9: $home/Codechain

secpkg and ssotpub use accordingly named directories.

Features

Codechain depends on the git binary (for git diff), but that's optional.

Out of scope

  • Source code management. Git and other VCS systems are good for that, Codechain can be used alongside them and solves a different problem.
  • Code distribution (minimal support is provided via codechain createdist and codechain apply -f).
  • Reproducible builds.

Documentation

Acknowledgments

Codechain has been heavily influenced by discussions with Jonathan Logan of Cryptohippie, Inc. Many thanks to Michael Parenti for the logo.

# Packages

Package archive implements a simple archive format for `codechain apply -f`.
No description provided by the author
Package command implements the Codechain commands.
No description provided by the author
Package hashchain implements a hash chain of signatures over a chain of code changes.
Package keyfile provides encrypted secret key storage.
Package patchfile implements a robust patchfile format for directory trees.
Package secpkg implements the secpkg package format.
Package ssot implements a single source of truth (SSOT) with DNS TXT records.
Package sync implements directory tree syncing with patch files.
Package tree implements functions to hash directory trees.
Package util contains utility functions.