Skip to content

frankbraun/codechain

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

600 Commits

.codechain

.codechain

 
 

archive

archive

 
 

cmd

cmd

 
 

command

command

 
 

doc

doc

 
 

hashchain

hashchain

 
 

image

image

 
 

keyfile

keyfile

 
 

packages

packages

 
 

patchfile

patchfile

 
 

scripts

scripts

 
 

secpkg

secpkg

 
 

ssot

ssot

 
 

sync

sync

 
 

tree

tree

 
 

util

util

 
 

vendor

vendor

 
 

.gitattributes

.gitattributes

 
 

.gitignore

.gitignore

 
 

.secpkg

.secpkg

 
 

.travis.yml

.travis.yml

 
 

Makefile

Makefile

 
 

README.md

README.md

 
 

UNLICENSE

UNLICENSE

 
 

codechain.go

codechain.go

 
 

go.mod

go.mod

 
 

go.sum

go.sum

 
 

Repository files navigation

Codechain — code trust through hash chains

Logo

GoDoc Build Status Go Report Card

In code we trust: Secure multiparty code reviews with signatures and hash chains.

The most common signing mechanism for open-source software is using GPG signatures. For example, GPG is used to sign Git commits and Debian packages. There is no built-in mechanism for key rotation and key compromise. And if forced to, a single developer can subvert all machines which trust the corresponding GPG key.

That's where the Codechain tool comes in. It establishes code trust via multi-party reviews recorded in unmodifiable hash chains.

Codechain allows to only publish code that has been reviewed by a preconfigured set of reviewers. The signing keys can be rotated and the reviewer set flexibly changed.

Every published code state is uniquely identified by a deterministic source tree hash stored in the hash chain, signed by a single responsible developer.

Codechain uses files to store the hash chain, not a distributed "blockchain".

Installation

Bootstrapping

To install a trusted Codechain version that can be updated in a trusted way you have to bootstrap it.

Developer version

To install the latest developer version (not recommended):

go get -u -v github.com/frankbraun/codechain/...

(How to install Go. Add $GOPATH/bin to your $PATH.)

Config directories

codechain uses the following config directories:

  • POSIX (Linux/BSD): ~/.config/codechain
  • Mac OS: $HOME/Library/Application Support/Codechain
  • Windows: %LOCALAPPDATA%\Codechain
  • Plan 9: $home/Codechain

secpkg and ssotpub use accordingly named directories.

Features

Codechain depends on the git binary (for git diff), but that's optional.

Out of scope

  • Source code management. Git and other VCS systems are good for that, Codechain can be used alongside them and solves a different problem.
  • Code distribution (minimal support is provided via codechain createdist and codechain apply -f).
  • Reproducible builds.

Documentation

Acknowledgments

Codechain has been heavily influenced by discussions with Jonathan Logan of Cryptohippie, Inc. Many thanks to Michael Parenti for the logo.

About

Codechain — code trust through hash chains

Resources

Readme

License

Unlicense license
Activity

Stars

47 stars

Watchers

7 watching

Forks

11 forks
Report repository

Releases

8 tags

Packages

No packages published

Contributors 6

Languages