rebuilderd icon indicating copy to clipboard operation
rebuilderd copied to clipboard

Attestation transparency logs

Open kpcyrd opened this issue 4 years ago • 8 comments

In extension to #12 there should be a tamper resistant log, similar to certificate transparency.

kpcyrd avatar Apr 28 '20 18:04 kpcyrd

I had a (rather "ambitious") idea of how this could be done using BFT consensus around quorum builds:

https://github.com/iqlusioninc/synchronicity/blob/develop/README.md#about

A simpler approach would be to log to something like Google Trillian.

tarcieri avatar Apr 28 '20 18:04 tarcieri

I'd love to explore the possibility of using BFT. I think the question regarding trillian would be to create a profile, which is something we've explored of doing in the in-toto team...

SantiagoTorres avatar Apr 28 '20 18:04 SantiagoTorres

I think the question regarding trillian would be to create a profile

Trillian "Personality", but yes

https://github.com/google/trillian/blob/master/docs/Personalities.md

The Golang "SumDB" uses one for this purpose, I believe:

https://go.googlesource.com/proposal/+/master/design/25530-sumdb.md

tarcieri avatar Apr 28 '20 18:04 tarcieri

I personally have some motivation to look into the sumdb code from golang. It's frankly simpler then the trillian monstrosity using grpc and god knows what.

Foxboron avatar Apr 28 '20 19:04 Foxboron

@Foxboron sumdb uses Trillian:

https://blog.golang.org/module-mirror-launch

The checksum database is served by sum.golang.org, and is built on a Transparent Log (or “Merkle tree”) of hashes backed by Trillian. The main advantage of a Merkle tree is that it is tamper proof and has properties that don’t allow for misbehavior to go undetected, which makes it more trustworthy than a simple database. The go command uses this tree to check “inclusion” proofs (that a specific record exists in the log) and “consistency” proofs (that the tree hasn’t been tampered with) before adding new go.sum lines to your module’s go.sum file. Below is an example of such a tree.

tarcieri avatar Apr 28 '20 19:04 tarcieri

Wait, what. Now I'm confused by what the mod/sumdb is suppose to contain. There is no traces of trillian anywhere in their github org. Is the backend proprietary?

Foxboron avatar Apr 28 '20 19:04 Foxboron

It contains a client for verifying go.sum attestations as served from https://sum.golang.org. See the API here:

https://go.googlesource.com/proposal/+/master/design/25530-sumdb.md#checksum-database

The verifiable log behind https://sum.golang.org is managed by Trillian. I'm not sure if the personality they're using is open source or not (I can't find it quickly, but have pinged the relevant people)

tarcieri avatar Apr 28 '20 19:04 tarcieri

Right, so I checked the gopher slack and it is indeed proprietary. It's apparently "not a lot of code" on top of trillian, but the storage code is heavily tied to what I assume is GCP and the storage there.

That is a bit unfortunate I think.

Foxboron avatar Apr 28 '20 19:04 Foxboron