Re: [tlug] Any way to make code running on a cloud service publicly verifiable?

["Stephen J. Turnbull" <stephen@example.com>]

Curt Sampson writes:
 > On 2012-09-14 20:37 +0900 (Fri), Stephen J. Turnbull wrote:
 > 
 > > The thing is, you absolutely have to have a third party certify
 > > that... (2) that the initial code it downloaded is the code you
 > > published. ("Initial" because you could trivially add a backdoor to
 > > upload additional code via HTTPS or whatever -- this can only be dealt
 > > with by a 3rd party certifying that your initial code doesn't do that.)
 > 
 > Actually, you don't need the third party to verify that; the user of the
 > site can download the code and verify it himself.

Right.

 > > If you trust SHA1 is cryptographically strong, then you could do this
 > > easily with git or hg... Have the cloud provider install a
 > > trusted, known clean version of the DVCS, which checks out a revision
 > > you specify from a public repo.
 > 
 > Be very careful when trying to use a hash for verification; naïve ways
 > of using it are vulnerable to length-extension attacks and probably
 > other things. Given that you need public verification, I'm not even sure
 > that an HMAC will do what you need, either, so use a proper digital
 > signature. This is not hard to do with OpenSSL or PGP.

Ah, you're right.  I don't see how *Edgar* can beat the system, but he
is theoretically vulnerable to a Joe Job where a *fourth* party cracks
his repo and provides malicious code purporting to be from Edgar.

But what do you propose signing in the case of a direct checkout of
rev deadbeefcafefeedbeadbabefacebadedeedaced from a public git
repository?  The rev id, I guess?