{"id":15650879,"url":"https://github.com/hannesm/conex","last_synced_at":"2025-04-14T12:42:59.896Z","repository":{"id":49655199,"uuid":"45802686","full_name":"hannesm/conex","owner":"hannesm","description":"establish trust in community repositories,  cryptographically signed by library authors","archived":false,"fork":false,"pushed_at":"2024-11-14T12:02:57.000Z","size":1509,"stargazers_count":33,"open_issues_count":2,"forks_count":2,"subscribers_count":10,"default_branch":"main","last_synced_at":"2025-03-28T01:53:30.124Z","etag":null,"topics":["conex","cryptography","ocaml","opam","package-manager","trust"],"latest_commit_sha":null,"homepage":"","language":"OCaml","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/hannesm.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGES.md","contributing":null,"funding":null,"license":"LICENSE.md","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2015-11-08T22:48:42.000Z","updated_at":"2024-11-14T12:03:01.000Z","dependencies_parsed_at":"2024-09-06T12:35:40.824Z","dependency_job_id":null,"html_url":"https://github.com/hannesm/conex","commit_stats":null,"previous_names":[],"tags_count":7,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hannesm%2Fconex","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hannesm%2Fconex/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hannesm%2Fconex/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hannesm%2Fconex/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/hannesm","download_url":"https://codeload.github.com/hannesm/conex/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248883235,"owners_count":21177184,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["conex","cryptography","ocaml","opam","package-manager","trust"],"created_at":"2024-10-03T12:36:10.233Z","updated_at":"2025-04-14T12:42:59.867Z","avatar_url":"https://github.com/hannesm.png","language":"OCaml","funding_links":[],"categories":[],"sub_categories":[],"readme":"## Conex - establish trust in community repositories\n\n%%VERSION%%\n\nConex is a utility for verify and attest release integrity and authenticity of community repositories through the use of cryptographic signatures (RSA-PSS-SHA256). It is based on [the update framework](https://theupdateframework.github.io/), especially on their [CCS 2010 paper](https://isis.poly.edu/~jcappos/papers/samuel_tuf_ccs_2010.pdf), and adapted to the requirements of the [opam](https://ocaml.opam.org) [repository](https://github.com/ocaml/opam-repository).\n\nThe developer sign their release checksums and build instructions.  A quorum (with a configurable threshold) of repository maintainers signs the package name to developer key relation.  These repository maintainers are enrolled by a quorum of offline root keys.\n\nThe [TUF spec](https://github.com/theupdateframework/specification/blob/master/tuf-spec.md) has a good overview of attacks and threat model, both of which are shared by conex.\n\n## Project history\n\nSpring 2017, together with Justin Cappos [TAP 8](https://github.com/theupdateframework/taps/blob/master/tap8.md) was designed which extends TUF with key rotation and explicit self-revocation.\n\nEarly 2017, a [blog post](https://hannes.robur.coop/Posts/Conex) introducing a prototype was published.\n\nWe presented [an earlier design at OCaml 2016](https://github.com/hannesm/conex-paper/raw/master/paper.pdf) about an earlier design.\n\nAnother article on an [even earlier design (from 2015)](http://opam.ocaml.org/blog/Signing-the-opam-repository/) is also available.\n\n## Installation\n\nConex release tarballs are accompanied with OpenPGP signatures in a separate .sig file in the download area.\n\n`opam instal conex` will install this library and tool,\nonce you have installed OCaml (\u003e= 4.13.0) and opam (\u003e= 2.0.0beta).\n\nA small test repository with two maintainers is available [here](https://github.com/hannesm/testrepo) including transcripts of how it was setup, and how to setup opams `repo validation hook`.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fhannesm%2Fconex","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fhannesm%2Fconex","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fhannesm%2Fconex/lists"}