Supply chain security
Public reproducible build
Some packages include reproducible build check as part of a publicly run workflow on GitHub infrastructure. The check source itself is part of the repository’s .github/workflows directory content.
The purpose of this is to publicly demonstrate, typically by an automated run trigerred by the repository source code push that the published package is exactly the same as with own build.
It verifies that the published .buildmeta content matches result of the automated build workflow result and - at the time of the run - verifies integrity of the published check on the included URL.
Anytime thereafter, it can be reliably assumed that the git commit hash corresponds to a Debian package with specific checksum. There’s a clear trace pointing from sources at a specific point in time to a built package.
Note
As the URL is checked at the end of the workflow, it only means that it pointed to a file with the correct checksum at that moment. A prudent approach is to check every download against this expected checksum.
Automation
Following a satisfactory check, it is possible to simply source the .buildmeta snippet and thereafter:
- Download package and verify its digest;
- Install the downloaded package.
wget -nc -P /tmp "$DEB_URL"
sha256sum -c <<< "$DEB_SHA256 /tmp/${DEB_URL##*/}"
apt install /tmp/${DEB_URL##*/}This can be further extended into e.g. automated Ansible playbook updates.