Notes, metadata, etc. for binary artifact transparency project
Standard ML
Switch branches/tags
Nothing to show
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Failed to load latest commit information.

Binary Artifact Transparency Notes

This repository contains notes, documents and sample package metadata related to the Binary Artifact Transparency project.

Repository Directory Structure


Sample cryptographic authorities from current versions of different software distributors. These files are represented as OpenPGP certificates, X.509-style raw public keys, etc.


Sample package metadata from various operating systems.


FreeBSD package metadata, from packagesite.yaml is the main metadata file for the entire package repository. sample.yaml is a pretty-printed version of one package entry.


Debian package metadata, fetched from the apt repository at -- these are the files that would be needed by a pure debian stable machine on the amd64 (x86_64) platform, using an en_US locale.

The files named *.sample are short examples extracted from larger files for easier comparison.

Release and Release.gpg

Release identifies the metadata for all platforms for a given distribution. Release.gpg is an OpenPGP signature on it.

This is the one place where the cryptographic authority of the Debian Archive Signing Key is invoked.


this provides a list of all the files installed by any package in the repository (seful for things like "file not found"). I don't think anything in this file needs to be logged for binary transparency.

main/binary-amd64/Release and main/binary-all/Release

Simple text file identifying the distribution, version, architecture, etc.


actual binary package metadata, including dependency information, checksums, and short (one-line) descriptions for all packages distributed to this architecture specifically.


Same as the main/binary-amd64/Packages.xz but used for packages that are architecture-independent (e.g. consisting only of scripts, platform-indepenent data, documentation)

cdimage/SHA*SUM and cdimage/SHA*SUM.sign

These are signatures over lists of digests of installer CD images.