[Secure Desktops] Introducing a public db for software and firmware hashes

Joanna Rutkowska joanna at invisiblethingslab.com
Fri Nov 11 15:40:18 CET 2016


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hi, I've recently created this simple repo:

https://github.com/rootkovska/codehash.db

... which is an attempt to somehow addresses a problem of software and firmware
"verifiability" (the word is somehow loaded, hence in quotation marks).

I imagine that once more and more vendors, such as e.g. Tails or Subgraph, or
secure messenger app devs, or various firmware projects (coreboot, Trezor,
OpenWRT, etc) agreed to stick to this format, we could expect each of them to
submit hashes + signatures with each new release of their software.  These
hashes would then be subsequently verified and submitted by other witnesses.
Each person or organization will be free to host a repo similar to the one
above, only with the "proofs" from the select witness they consider somehow
trusted or meaningful.

Any comments welcome!

Cheers,
joanna.
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCAAGBQJYJdhRAAoJEDOT2L8N3GcY++UQALSpFDHBqOPRYdpUzyUIicLR
6Rh3scyzizQogoAk2dPTMJw3J/bKBljybxL4PtxEXzbY2eITw128Bu8M0vno4rzY
G/UCFPus5tUcrqoZcX0+usqfZzr2zStG5kNIaW2tCf9AkUrCgcyNZSBUNnXSTADJ
Eb7U85YnhZnVw5qeqAaCgoA0uYiOB7xIWj4hB+g8LJXHJXjvit4vttylH5x2HOsx
Dxer7GSEMaPKy2yvt7Q4Z+KyXhvfLiF93FAy/kj6WLUXOBlk4e+J+mw7x6fe2yiK
3Eiy7nHp/bxMgowTqZiPqy/nYZIS02ArhavkNphTYa/cCqCZFwpKRTQa73bvdIca
8KebY2/1J+yVfG1SZdaSrU0GKDAvjz/a9AYiGlEn4lBgvctyhnw8OTdE0vOw2M3T
9aMFq5BGt7FIAWygTrxI34ucj9aU1Q4QEpw5C1i7grIPEMAAPt09ST/7Ypc9TGcu
28UIWlmz/UVdR/wsJzT8BpnRMdZcfRg9hp/+/xs8CSYgCs0xS8NUmuVvlPMmIewB
MqrQo+sqU3J0QYN2WdMX1f4gkjT5x8oitI1MTTLiX8mXAXpR4o/I4AwEY6tzfcfa
4ntbnmmeeKqCwKLGhRQAi2pzSb7k0AOPNJDFBdeScPswfV0lTUozXC9sdy+g03cg
h4j990kcnAryDze7CAHu
=VY0L
-----END PGP SIGNATURE-----



More information about the Desktops mailing list