Skip to content
master
Go to file
Code

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
 
 
 
 
cmd
 
 
 
 
doc
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

README.md

Codechain — code trust through hash chains

Logo

GoDoc Build Status Go Report Card

In code we trust: Secure multiparty code reviews with signatures and hash chains.

The most common signing mechanism for open-source software is using GPG signatures. For example, GPG is used to sign Git commits and Debian packages. There is no built-in mechanism for key rotation and key compromise. And if forced to, a single developer can subvert all machines which trust the corresponding GPG key.

That's where the Codechain tool comes in. It establishes code trust via multi-party reviews recorded in unmodifiable hash chains.

Codechain allows to only publish code that has been reviewed by a preconfigured set of reviewers. The signing keys can be rotated and the reviewer set flexibly changed.

Every published code state is uniquely identified by a deterministic source tree hash stored in the hash chain, signed by a single responsible developer.

Codechain uses files to store the hash chain, not a distributed "blockchain".

Installation

Bootstrapping

To install a trusted Codechain version that can be updated in a trusted way you have to bootstrap it.

Developer version

To install the latest developer version (not recommended):

go get -u -v github.com/frankbraun/codechain/...

(How to install Go. Add $GOPATH/bin to your $PATH.)

Config directories

codechain uses the following config directories:

  • POSIX (Linux/BSD): ~/.config/codechain
  • Mac OS: $HOME/Library/Application Support/Codechain
  • Windows: %LOCALAPPDATA%\Codechain
  • Plan 9: $home/Codechain

secpkg and ssotpub use accordingly named directories.

Features

Codechain depends on the git binary (for git diff), but that's optional.

Out of scope

  • Source code management. Git and other VCS systems are good for that, Codechain can be used alongside them and solves a different problem.
  • Code distribution (minimal support is provided via codechain createdist and codechain apply -f).
  • Reproducible builds.

Documentation

Acknowledgments

Codechain has been heavily influenced by discussions with Jonathan Logan of Cryptohippie, Inc. Many thanks to Michael Parenti for the logo.

About

Codechain — code trust through hash chains

Resources

License

Languages

You can’t perform that action at this time.