• 0 Posts
  • 3 Comments
Joined 2 years ago
cake
Cake day: June 12th, 2023

help-circle

  • As far as I’m aware, there is no way to fully know there wasn’t any tampering or swapping of executables that were produced by a workflow. As most things on the internet, I believe there needs to be a degree of trust towards the original author and original owner of the repository that what they published is indeed a built executable from the original source. If there is any doubt about this, the only verifiable way to know for sure, if for a potential user to build from source themselves.

    I can think of ways where there is a trusted third party that provides a public key with which to sign the built executable, after which it can be checked by the third party (with its private key) whether it is still the same executable. Specially if a different key pair is used for every signing operation. But there are still flaws there, and would, ultimately, still rely on a degree of trust in the third party.