README
¶
Codechain — code trust through hash chains
In code we trust: Secure multiparty code reviews with signatures and hash chains.
The most common signing mechanism for open-source software is using GPG signatures. For example, GPG is used to sign Git commits and Debian packages. There is no built-in mechanism for key rotation and key compromise. And if forced to, a single developer can subvert all machines which trust the corresponding GPG key.
That's where the Codechain tool comes in. It establishes code trust via multi-party reviews recorded in unmodifiable hash chains.
Codechain allows to only publish code that has been reviewed by a preconfigured set of reviewers. The signing keys can be rotated and the reviewer set flexibly changed.
Every published code state is uniquely identified by a deterministic source tree hash stored in the hash chain, signed by a single responsible developer.
Codechain uses files to store the hash chain, not a distributed "blockchain".
Installation
Bootstrapping
To install a trusted Codechain version that can be updated in a trusted way you have to boostrap it.
Developer version
To install the latest developer version (not recommended):
go get -u -v github.com/frankbraun/codechain/...
(How to install Go. Add $GOPATH/bin
to your $PATH.)
Config directories
codechain uses the following config directories:
- POSIX (Linux/BSD):
~/.config/codechain - Mac OS:
$HOME/Library/Application Support/Codechain - Windows:
%LOCALAPPDATA%\Codechain - Plan 9:
$home/Codechain
secpkg and ssotpub use accordingly named directories.
Features
- Minimal code base, Go only, cross-platform.
- Single source of truth (SSOT) with DNS
Codechain depends on the git binary (for git diff), but that's optional.
Out of scope
- Source code management. Git and other VCS systems are good for that, Codechain can be used alongside them and solves a different problem.
- Code distribution (minimal support is provided via
codechain createdistandcodechain apply -f). - Reproducible builds.
Documentation
- Walkthrough
- Presentation about Codechain
- Directory tree hashes and lists
- Hash chain file format
- Patchfile format
- SSOT with DNS TXT records
- Secure packages (
.secpkgfiles)
Acknowledgments
Codechain has been heavily influenced by discussions with Jonathan Logan of Cryptohippie, Inc. Many thanks to Michael Parenti for the logo.
Documentation
Source Files
Directories
¶
| Path | Synopsis |
|---|---|
|
Package archive implements a simple archive format for `codechain apply -f`.
|
Package archive implements a simple archive format for `codechain apply -f`. |
|
cmd
|
|
|
secpkg
secpkg installs and updates secure Codechain packages.
|
secpkg installs and updates secure Codechain packages. |
|
ssotpub
ssotpub publishes Codechain heads with a single source of truth (SSOT).
|
ssotpub publishes Codechain heads with a single source of truth (SSOT). |
|
util/ccdiff
ccpatch caluates a patch between two directory trees and prints it to stdout.
|
ccpatch caluates a patch between two directory trees and prints it to stdout. |
|
util/ccfindhead
ccfindhead finds a given head in a hash chain file.
|
ccfindhead finds a given head in a hash chain file. |
|
util/ccpatch
ccpatch applies a patchfile to a directory tree.
|
ccpatch applies a patchfile to a directory tree. |
|
util/cctreehash
cctreehash calculates and prints the tree hash of the current directory in hex.
|
cctreehash calculates and prints the tree hash of the current directory in hex. |
|
util/cloudflareapi
cloudflareapi calls the Cloudflare API (https://api.cloudflare.com/).
|
cloudflareapi calls the Cloudflare API (https://api.cloudflare.com/). |
|
Package command implements the Codechain commands.
|
Package command implements the Codechain commands. |
|
doc
|
|
|
Package hashchain implements a hash chain of signatures over a chain of code changes.
|
Package hashchain implements a hash chain of signatures over a chain of code changes. |
|
internal/state
Package state implements the state of a hashchain.
|
Package state implements the state of a hashchain. |
|
linktype
Package linktype defines the different link types of a hash chain.
|
Package linktype defines the different link types of a hash chain. |
|
Package keyfile provides encrypted secret key storage.
|
Package keyfile provides encrypted secret key storage. |
|
Package patchfile implements a robust patchfile format for directory trees.
|
Package patchfile implements a robust patchfile format for directory trees. |
|
Package secpkg implements the secpkg package format.
|
Package secpkg implements the secpkg package format. |
|
command
Package command implements the secpkg commands.
|
Package command implements the secpkg commands. |
|
Package ssot implements a single source of truth (SSOT) with DNS TXT records.
|
Package ssot implements a single source of truth (SSOT) with DNS TXT records. |
|
command
Package command implements the ssotpub commands.
|
Package command implements the ssotpub commands. |
|
Package sync implements directory tree syncing with patch files.
|
Package sync implements directory tree syncing with patch files. |
|
Package tree implements functions to hash directory trees.
|
Package tree implements functions to hash directory trees. |
|
Package util contains utility functions.
|
Package util contains utility functions. |
|
ascii85
Package ascii85 implements ascii85 encoding related utility functions.
|
Package ascii85 implements ascii85 encoding related utility functions. |
|
base64
Package base64 implements base64 encoding related utility functions.
|
Package base64 implements base64 encoding related utility functions. |
|
bzero
Package bzero defines helper functions to zero sensitive memory.
|
Package bzero defines helper functions to zero sensitive memory. |
|
cloudflare
Package cloudflare consumes the Cloudflare API (https://api.cloudflare.com/).
|
Package cloudflare consumes the Cloudflare API (https://api.cloudflare.com/). |
|
def
Package def defines default values used in Codechain.
|
Package def defines default values used in Codechain. |
|
file
Package file implements file related utility functions.
|
Package file implements file related utility functions. |
|
git
Package git contains wrappers around some Git commands.
|
Package git contains wrappers around some Git commands. |
|
gnumake
Package gnumake contains wrappers around some GNU make commands.
|
Package gnumake contains wrappers around some GNU make commands. |
|
hex
Package hex implements hex encoding related utility functions.
|
Package hex implements hex encoding related utility functions. |
|
home
Package home provides utility methods for application specific home directories.
|
Package home provides utility methods for application specific home directories. |
|
homedir
Package homedir implements helper methods to get the home directories of various tools.
|
Package homedir implements helper methods to get the home directories of various tools. |
|
interrupt
Package interrupt allows to handle interrupts.
|
Package interrupt allows to handle interrupts. |
|
lockfile
Package lockfile implements a lock to limit a binary to one process per anchor file.
|
Package lockfile implements a lock to limit a binary to one process per anchor file. |
|
log
Package log implements a minimal logging framework based on stdlib's log.
|
Package log implements a minimal logging framework based on stdlib's log. |
|
seckey
Package seckey implements helper functions for secret key files.
|
Package seckey implements helper functions for secret key files. |
|
terminal
Package terminal provides utility function to read from terminals.
|
Package terminal provides utility function to read from terminals. |
|
time
Package time implements time related utility functions.
|
Package time implements time related utility functions. |
Click to show internal directories.
Click to hide internal directories.