Lockfiles

[sgammon]

So, the theme of this tool and repo is a completely over-engineered tool for checking and handling hash lock files. Right? How can we really make this concept interesting?

The idea of a lockfile is that it captures state at a certain moment in time, and is committed to source control. Initially, the idea of a "lockfile" for hashlocks seems silly.

But, if that file was signed, say, with GPG, it would be possible to establish new guarantees. Without a lockfile, this tool can guarantee that: at a moment in time, when the tool was run, the hashlock files matched their subjects. Extended with a signed lockfile to gather these locks, we can make establish the following guarantees:

• (Carried) at a moment in time, when the tool was run, the hashlock files matched their subjects
• At that time, the tool was run with proper provenance and the code matched the expected binary or source state (JS, bin)
• At that time, the tool was run with a specific version or hash of the hashlocks tool
• At that time, the tool was run in an authorized environment
• At that time, all hashlocks in aggregate summed to a known value

As a codebase evolves, with the lockfile in place, replacing one or more individual subjects and updating the hashlock would no longer pass checks.