{"id":18997721,"url":"https://github.com/s0/bitlantern","last_synced_at":"2026-03-19T07:34:11.868Z","repository":{"id":70725748,"uuid":"56006597","full_name":"s0/BitLantern","owner":"s0","description":null,"archived":false,"fork":false,"pushed_at":"2016-04-16T01:01:57.000Z","size":8,"stargazers_count":4,"open_issues_count":1,"forks_count":0,"subscribers_count":2,"default_branch":"master","last_synced_at":"2026-01-15T12:42:12.575Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/s0.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2016-04-11T20:48:17.000Z","updated_at":"2022-09-03T15:40:36.000Z","dependencies_parsed_at":"2023-02-23T04:45:58.066Z","dependency_job_id":null,"html_url":"https://github.com/s0/BitLantern","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/s0/BitLantern","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/s0%2FBitLantern","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/s0%2FBitLantern/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/s0%2FBitLantern/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/s0%2FBitLantern/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/s0","download_url":"https://codeload.github.com/s0/BitLantern/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/s0%2FBitLantern/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":29948842,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-02-28T18:42:55.706Z","status":"ssl_error","status_checked_at":"2026-02-28T18:42:48.811Z","response_time":90,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.6:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-08T17:42:17.069Z","updated_at":"2026-02-28T19:31:11.719Z","avatar_url":"https://github.com/s0.png","language":null,"funding_links":[],"categories":[],"sub_categories":[],"readme":"# Cryptographic Verification of a Reproducible builds\n\n## Scope\n\n### The Problem\n\nOpen source software is incredibly valuable to the general population,\nparticularly in circumstances regarding privacy + security, there are numerous\nopen source tools in particular that allow people to communicate and use the\nweb privately and anonymously. However there is a problem in the way in which\nOSS Software is typically distributed, which is by the compiled binary files /\nsoftware rather than the source code, and there is no easy way in which to\ncheck that any particular binary is directly derived from a given set of source\ncode, which means that it may have been modified by the entities building +\ndistributing the software. This is because there is typically some amount of\nnon-determinism when building from source code (building twice in a row is not\nlikely to result in the same binaries, and it gets even more tricky when you\ntalk about building from different computers).\n\nEnter [Reproducible Builds](https://reproducible-builds.org): this project aims\nto make building from source code much more deterministic, so that different\npeople can independently build the software from source code, and produce the\nexact same source code. There are [a large number of\nprojects](https://reproducible-builds.org/who/) that have started work on this,\nand this is extremely exciting.\n\nThis work is extremely valuable, and very crucial to the health of our future\ntech ecosystem, but for this to mean anything, we need to start actually using\nthe deterministic properties of our builds to protect us from entities\n(maliciously or otherwise) modifying binaries that we install on our systems.\n\n### The Solution\n\nThis project aims to take advantage of deterministic builds to it's fullest\nextent, providing a service where anyone can choose to sign a particular binary\nas \"verified\", and tie that verification to their public ID. Users of the\nservice can then request a list of signatures for any particular binary\n(preferably before using the binary), and see who has verified it as genuinely\nfrom the source code.\n\n**Example Usages:**\n\n* Linux package managers (for example in Debian) could require that a package is\n  signed by a minimum number of signers in the keychain.\n\n  An extension of this would be allowing users / sysadmins to configure their\n  package manager to require signatures from certain people / identities before\n  installing certain packages.\n\n* Android devices could check the list of verifications for a particular app,\n  and ensure that an `apk` has not been tampered with.\n\n  An extension to this would be requiring that certain APPs are signed by\n  certain people before allowing an update to take place. This can probably be\n  done with something like F-Droid more easily than the Play Store.\n\n### But what about [Cothority](https://github.com/dedis/cothority)?\n\nCothority is cool, but is in essence tackling a very different, and much more\ngeneral problem (and has nothing to do with reproducible / deterministic builds,\nand in fact conceptually doesn't even require software to be Open Source).\n\nCothority, conceptually, is a network of nodes that maintain a list of hashes\nthat are considered \"valid\"; for software, that would be the hash of the binary\nfiles. For a piece of software to be considered valid, it's hash must be\nsubmitted to the network, and naturally propagates throughout the whole network\nso all nodes eventually agree that it is valid.\n\nUsers of the system can then ask a minimum number of nodes to verify if they\nhave \"witnessed\" a particular hash, and if enough of them have, the user can\nchoose to continue using the binary.\n\nA good example of where this could be useful is with iOS software updates, if\nApple were to use a system like this, it would be impossible to create a version\nof the software that is targeted for an individual device, and to install it on\nthat device without announcing the existence of this software to the entire\nworld.\n\nSo although extremely valuable, verifying reproducible builds is strictly more\npowerful than Cothority, but is applicable to significantly less use cases.\n\n## Naming\n\nWe still need to think of an official name for this project + associated tools.\n\nPossible Options:\n* BitLantern / BitTorch / BitLighthouse (some other light source)\n* BitCop / BitSherif (less good, people don’t necessarily like cops, especially\n  in US).\n\n## Architecture\n\nFirst and foremost, the entire system / API will be **Open Source**.\n\nThis project will be based around an API server that will be at the core of the\nproject. The website, command line tools and any other apps will all use the\nsame API (and this will allow for extensive contributions + other 3rd party\napps by external contributors).\n\nThe API server should be written in a way that allows for federation / mirrors\nof the data, so that people can host their own servers, but synchronize with\nthe main server / any other mirrors to mirror / distribute the data (making the\nsystem inherently more robust, ala PGP keyservers).\n\n## Signature Data\n\nThe data that will be signed by verifiers will be a json file of this format:\n\n```json\n{\n  \"src\": \"https://github.com/WhisperSystems/Signal-Android.git\",\n  \"version\": \"3.15.2\",\n  \"srcVersion\": \"a307ff350c4f2ef0c778b1e2fd4656cb6ac086e6\",\n  \"label\": \"Play Store APK\",\n  \"verifications\": [\n    {\n      \"type\": \"gpg\",\n      \"data\": \"-----BEGIN PGP SIGNATURE-----\\nComment: ...\"\n    },\n    {\n      \"type\": \"sha256\",\n      \"data\": \"097a35284640d7fad85ff00b3ac100bcc207556176080071723c4bed37889057\"\n    },\n    ...\n  ]\n}\n```\n\n**Field Breakdown:**\n\n* `\"src\"` - a URL to the repository of the source code, in this example, a https\n  git repo to the GitHub repository of Signal.\n* `\"version\"` - the version string of the version being signed.\n* `\"srcVersion\"` - a unique reference to version of the source code in the VCS\n  system for this project (for git, this would be the full commit hash).\n* `\"label\"` - a text string identifying what kind of binary data produced from\n  the source is being verified, for example:\n  * A source repository may have different build targets (linux, windows,\n    OSX...), and each of the files for each of the different platforms will\n    require a separate verification, and should be labelled appropriately.\n  * The output of a build may be multiple different files, each of which need to\n    be distributed separately, and therefore signed separately. A good label for\n    each of these may be the filenames.\n  * A project may be used accross many different linux distributions and\n    package repositories, and each of these distributions will require\n    distributing the packages in a different manner (`.deb`, `.tar.gz`, ...), so\n    therefore each will require separate signatures and appropriate labels.\n* `\"verifications\"` - a list of verifications, either just hashes of the files,\n  or a gpg signature of the file.\n\n  There will be a minimum requirement of at least a particular hash algorithm\n  (probably blake2) which will serve as **canonical** hash of a file, and the\n  way in which we correlate verifications of the same file over different\n  algorithms. The API server will only accept verifications which meet this\n  requirement.\n\n  (We could potentially change which hash this is at a later date, which would\n  change the way in which we canonicalize verifications).\n\n**A note on GPG:**\n\nUsage of GPG as a \"hash\" will allow for simpler systems to be implemented using\nthe API service as a GPG signature lookup server, treating GPG in whatever\nmanner they see fit, without having to implement the complete signing and\nverification protocol of this service, and understand this JSON format.\n\ni.e: this opens up the possibility to being able to just make a `http(s)`\nrequest for \"give me the GPG signatures for the file with this hash\", and then\nusing the GPG signatures directly.\n\n### Signing\n\n*(yet to be finalised)*\n\nThe signature could either just be a GPG signature, or it could be a keybase\nsignature, or it could potentially be either / both. This needs to be\ndiscussed... either way, it probably needs to be something that can be tied to\na user identity, so a raw NaCl signature, for example, probably won't do.\n\n## API\n\nThe API will mostly be auth-less (including calls to upload signatures for a\nbinary), due to the nature of this project. We may later require auth for some\nparts of the API (for example updating metadata for a project, we may want to\ngive auth to project owners, verifying for example via GitHub).\n\n### Get list of projects\n\n```\nGET /api/projects\n```\n\nOrder by something significant (unless otherwise specified), e.g. number of\nsignatures.\n\n```json\n[\n  {\n    \"id\": 1234,\n    \"name\": \"Signal Android\",\n    \"url\": \"https://play.google.com/store/apps/...\",\n    \"icon\": \"https://.../icon.png\",\n    \"src\": [\n      \"https://github.com/WhisperSystems/Signal-Android.git\"\n    ]\n  },\n  ...\n]\n```\n\n### Get a specific project's meta\n\n```\nGET /api/projects/1234\n```\n\n```json\n{\n  \"id\": 1234,\n  \"name\": \"Signal Android\",\n  \"url\": \"https://play.google.com/store/apps/...\",\n  \"icon\": \"https://.../icon.png\",\n  \"src\": [\n    \"https://github.com/WhisperSystems/Signal-Android.git\"\n  ]\n}\n```\n\n### Get a list of versions for a project\n\n```\nGET /api/projects/1234/versions?count=10\n```\n\nOrder by date (that's the date of the commit in the repo).\n\n```json\n[\n  {\n    \"date\": 1460412723,\n    \"srcVersion\": \"a307ff350c4f2ef0c778b1e2fd4656cb6ac086e6\",\n    \"binaries\": {\n      \"097a352...\": {\n        \"projects\": {\n          \"1234\": 121,\n          \"333\": 1\n        },\n        \"srcVersions\": {\n          \"a307ff350c4f2ef0c778b1e2fd4656cb6ac086e6\": 121,\n          \"778b1e2fd4656cb6ac086e6a307ff350c4f2ef0c\": 1\n        },\n        \"versions\": {\n          \"3.15.2\": 101,\n          \"v3.15.2\": 20,\n          \"v3.15.1\": 1\n        },\n        \"labels\": {\n          \"Play Store APK\": 95,\n          \"Play Store\": 27\n        },\n        \"verificationTypes\": {\n          \"blake2\": 122,\n          \"gpg\": 56,\n          \"sha256\": 100\n        }\n      },\n      \"d4656cb...\": {\n\n      },\n      ...\n    }\n\n  },\n  ...\n]\n```\n\n### Get details of binaries for a specific srcVersion (git hash)\n\n```\nGET /api/projects/1234/a307ff350c4f2ef0c778b1e2fd4656cb6ac086e6\n```\n\n```json\n{\n  \"date\": 1460412723,\n  \"srcVersion\": \"a307ff350c4f2ef0c778b1e2fd4656cb6ac086e6\",\n  \"binaries\": {\n    \"097a352...\": {\n      \"projects\": {\n        \"1234\": 121,\n        \"333\": 1\n      },\n      \"srcVersions\": {\n        \"a307ff350c4f2ef0c778b1e2fd4656cb6ac086e6\": 121,\n        \"778b1e2fd4656cb6ac086e6a307ff350c4f2ef0c\": 1\n      },\n      \"versions\": {\n        \"3.15.2\": 101,\n        \"v3.15.2\": 20,\n        \"v3.15.1\": 1\n      },\n      \"labels\": {\n        \"Play Store APK\": 95,\n        \"Play Store\": 27\n      },\n      \"verificationTypes\": {\n        \"blake2\": 122,\n        \"gpg\": 56,\n        \"sha256\": 100\n      }\n    },\n    \"d4656cb...\": {\n\n    },\n    ...\n  }\n\n}\n```\n\n### Get details for a specific file hash\n\n```\nGET /api/hash/097a35284640d7fad85ff00b3ac100bcc207556176080071723c4bed37889057\n```\n\n```json\n{\n  \"hash\": \"097a35284640d7fad85ff00b3ac100bcc207556176080071723c4bed37889057\",\n  \"projects\": {\n    \"1234\": 121,\n    \"333\": 1\n  },\n  \"srcVersions\": {\n    \"a307ff350c4f2ef0c778b1e2fd4656cb6ac086e6\": 121,\n    \"778b1e2fd4656cb6ac086e6a307ff350c4f2ef0c\": 1\n  },\n  \"versions\": {\n    \"3.15.2\": 101,\n    \"v3.15.2\": 20,\n    \"v3.15.1\": 1\n  },\n  \"labels\": {\n    \"Play Store APK\": 95,\n    \"Play Store\": 27\n  },\n  \"verificationTypes\": {\n    \"blake2\": 122,\n    \"gpg\": 56,\n    \"sha256\": 100\n  }\n}\n```\n\n### Get verifications for a specific file hash\n\n```\nGET /api/hash/097a352...057/verifications?count=10\n```\n\n```json\n[\n  {\n    \"data\": \"-- escaped / encoded signed json data --\",\n    \"signature\": \"-- escaped / encoded signature --\"\n  },\n  ...\n]\n```\n\n### Get verifications for a specific file hash that include a specific type\n\n```\nGET /api/hash/097a352...057/verifications?count=10\u0026type=gpg\n```\n\n```json\n[\n  {\n    \"data\": \"-- escaped / encoded signed json data --\",\n    \"signature\": \"-- escaped / encoded signature --\"\n  },\n  ...\n]\n```\n\n### Get gpg signatures for a specific hash\n\n```\nGET /api/hash/097a352...057/gpg?count=10\n```\n\n```json\n[\n  \"-----BEGIN PGP SIGNATURE-----\\nComment: ...\",\n  \"-----BEGIN PGP SIGNATURE-----\\nComment: ...\",\n  ...\n]\n```\n\n### TODO\n\nAPI calls for uploading a signature\n\n## Data Model\n\nTODO\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fs0%2Fbitlantern","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fs0%2Fbitlantern","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fs0%2Fbitlantern/lists"}