-
Notifications
You must be signed in to change notification settings - Fork 0
Go Reproducible Airgap Builds
CAVRA Community Edition now records reproducibility metadata for the Go enforcement-plane runtime. The goal is to let security teams verify a release package online, transfer it through an approved air-gapped process, and rebuild or re-check the single runtime binary without exposing enterprise source code or private release keys.
The Go release workflow and scripts/package_go_release.py produce cavra-runtime.reproducibility.json inside every Go runtime package. The manifest records:
- package version, commit, ref, repository, and workflow reference
- Go module directory
- declared target matrix
CGO_ENABLED=0GOFLAGS="-trimpath -mod=readonly -buildvcs=false"ldflags="-s -w -buildid="- per-target binary paths, sizes, SHA-256 digests, and rebuild commands
- operator controls for restricted-network rebuild evidence
The manifest is included in checksums.txt, SLSA provenance subjects, release evidence, detached signatures, and the offline trust bootstrap required-file list.
- Download
cavra-go-runtime-<version>.zipfrom the GitHub Release or release workflow artifact. - Verify the zip before transfer:
cavra release verify-airgap-bundle cavra-go-runtime-<version>.zip- Transfer only the verified zip plus approved public trust material through the enterprise removable-media or offline package process.
- Inside the restricted environment, verify the extracted package again:
cavra release verify-go-package go-runtime-<version>- Rebuild any target binary when required by local policy using the
rebuild_commandfromcavra-runtime.reproducibility.json. - Compare rebuilt binary hashes with
binary_sha256before installing on CI runners, developer workstations, or restricted servers.
- As a public-sector platform team, I can verify and rebuild a single CAVRA runtime binary before placing it in an air-gapped runner image.
- As a security auditor, I can inspect deterministic build flags and binary digests without needing access to private enterprise source code.
- As a release manager, I can attach reproducibility evidence to the same release change record as checksums, signatures, SBOM, and provenance.
Restricted environments often reject opaque binaries unless the package includes verifiable provenance, checksums, rebuild instructions, and repeatable build controls. CAVRA now packages those controls with the community Go runtime so enterprises can evaluate air-gapped deployment using public-safe artifacts.
This feature documents and verifies Community Edition Go runtime packaging only. Enterprise modules, commercial policy packs, SaaS license validation, customer-specific deployment scripts, and private signing keys remain outside the public repository.
The next recommended implementation phase is contract-level Go parity for additional high-risk release-governance metadata and production release-signing operations documentation.
Before the agent acts, CAVRA asks: who is acting, what will change, what policy applies, and what evidence will prove it?
| Start | Build | Operate | Assure |
|---|---|---|---|
| Quick Start | CLI | Enterprise Guide | AISPM |
| Reader Paths | Policy Syntax | Deployments | Evidence |
| Community | GUI | Troubleshooting | Conclusion |
- Foreword And Reader Paths
- Why CAVRA Exists
- Runtime Authority Model
- Architecture
- Editions
- Install And Deploy
- Community Guide
- Enterprise Guide
- CLI Reference
- GUI And Sandbox
- AISPM Guide
- Policy And Evidence
- Operations And Integrations
- Labs And Use Cases
- Appendices And FAQ
- Policy Language Reference
- Troubleshooting Playbook
- Conclusion