Release: rebuilderd v0.25.0
by kpcyrd, medium read,
rebuilderd v0.25.0 was recently released, this version has improved in-toto support for cryptographic attestations that this blog post briefly outlines. 😺
As a quick recap, rebuilderd is an automatic build scheduler that emerged in 2019/2020 from the Reproducible Builds project doing the following:
- Track binary packages available in a Linux distribution
- Attempt to compile the official binary packages from their (alleged) source code
- Check if the package we compiled is bit-for-bit identical
- If so, mark it
GOOD, issue an attestation - In every other case, mark it
BAD, generate a diffoscope
- If so, mark it
The binary packages in question are explicitly the packages users would also fetch and install.
This project has caught the attention of Arch Linux, Debian and Fedora.
Before this version
The original in-toto integration was added 4 years ago by Joy Liu during GSoC 2021, with help from Santiago Torres and Aditya Sirish (shoutout to the real ones!). Each rebuilderd-worker had its own cryptographic key and included a signed attestation along with the build result that could then be fetched from /api/v0/builds/{id}/attestation.
Since these workers are potentially ephemeral, and the list of worker public keys wasn’t publicly known, it was difficult to make use of those signatures.
Since this version
This version introduces the following:
- The rebuilderd daemon itself generates a long-term signing key
- All attestations signed by a trusted worker also get signed by the rebuilderd daemon
- The rebuilderd daemon gets a new endpoint that can be used to query the public-key this instance identifies with:
/api/v0/public-keys
An example of this new endpoint can be found here:
https://reproducible.archlinux.org/api/v0/public-keys
The response looks something like this (this is the real long-term signing key used by reproducible.archlinux.org):
{
"current": [
"-----BEGIN PUBLIC KEY-----\r\nMCwwBwYDK2VwBQADIQBLNcEcgErQ1rZz9oIkUnzc3fPuqJEALr22rNbrBK7iqQ==\r\n-----END PUBLIC KEY-----\r\n"
]
}
It’s a list so keys can potentially be rolled over time, and in future versions it should also list the public keys the instance has used in the past.
I haven’t develop any integrations for this yet (partially also to allow deployments to catch up with the new release), but I’m planning to do so using the in-toto crate.
Closing words
To give credit where credit is due (and because people pointed out I tend to end my blog posts too abruptly), rebuilderd is only the scheduler software, the actual build in the correct build-environment is outsourced to external tooling like archlinux-repro and debrebuild.
For further reading on applied reproducible builds, see also my previous blogpost Disagreeing rebuilders and what that means.
Also, there are currently efforts by the European Commission to outlaw unregulated end-to-end encrypted chat, so this may be a good time to prepare for (potential) impact and check what tools you have available to reduce unchecked trust in (open source) software authorities, to keep them operating honest and accountable.
Never lose the plot~
Sincerely yours