3 releases
0.1.5 | Mar 28, 2019 |
---|---|
0.1.4 | Mar 27, 2019 |
0.1.3 | Mar 27, 2019 |
#1010 in Cryptography
30KB
565 lines
revelio
DISCLAIMER: PoC / WIP - Feedback is welcome !
Revelio brings auditability and integrity checks for open-source projects that live on the web.
It tries to answer the question:
What is the original source code of what's running on my machine, and how was it built ?
Revelio automates transparency checks by linking:
- auditability, with URLs to the public build process and the original sources
- integrity, by checking that built artifacts have not been tampered with at any point in storage or transport
How it works
In your public CI (see the list of supported services), Revelio will create a manifest file containing:
- Build context information (URL to the build, the sources, SHA1 of the commit...)
- Artifact map with SHA256 checksum hashes
{
"version": 1,
"datetime": "2019-03-20T13:37:32.248626882+00:00",
"context": {
"buildUrl": "https://travis-ci.org/acme/example.com/jobs/123456789",
"sourcesUrl": "https://github.com/acme/example.com",
"commitSha1": "4cc994bd49fd2bf827bfbf476488e963e9d565e8",
"commitUrl": "https://github.com/acme/example.com/commit/4cc994bd49fd2bf827bfbf476488e963e9d565e8",
"compareUrl": "https://github.com/acme/example.com/compare/e68714654da3...4cc994bd49fd"
},
"artifacts": {
"https://example.com/404.html": "sha256:3mAC+oR66YjsNoV33fDK6AbN72N2okGtk9PjdIuRtsE=",
"https://example.com/app.css": "sha256:R1+IjX4f2u7GRE/XQQfgVx+YTeGqReI4qUGqKDkHA9w=",
"https://example.com/app.js": "sha256:0vGVpfjqMywtnj/hLODFi5ek6hK7aBQ+n2JZ9F/3Hx0=",
"https://example.com/index.html": "sha256:03cfGvf3z4VUqCzuaFabxbA396AT63mSjwJwOlKsaHQ=",
"https://example.com/robots.txt": "sha256:wBFPdm0K88T1Cdgftal2BpreVKzmqjb0FiGbZi9/cOg=",
"https://example.com/sitemap.xml": "sha256:RMQZ2sZN8ef/vghv58Ccoz4N3s/Oq4Hb2mrw81WK/U0="
}
}
You then deploy that revelio.json
file along with your artifacts.
The recommended path is /.well-known/revelio.json
.
Later on, you can use the Revelio CLI to verify the integrity and retrieve the build context information:
$ revelio verify https://example.com
🔎 Found https://example.com/.well-known/revelio.json
🔨 Build context:
Build https://travis-ci.org/acme/example.com/jobs/123456789
Sources https://github.com/acme/example.com
Commit URL https://github.com/acme/example.com/commit/4cc994bd49fd2bf827bfbf476488e963e9d565e8
Compare URL https://github.com/acme/example.com/compare/e68714654da3...4cc994bd49fd
Commit SHA-1 4cc994bd49fd2bf827bfbf476488e963e9d565e8
🔬 Integrity:
✅ https://example.com/404.html
✅ https://example.com/app.css
✅ https://example.com/app.js
✅ https://example.com/index.html
✅ https://example.com/robots.txt
✅ https://example.com/sitemap.xml
✅ Verified https://example.com/
Usage
- Setup for Travis CI
- Setup for CircleCI
- Todo: GitLab CI
- Todo: Azure Pipelines
- Todo: Bitbucket Pipelines
- Todo: Jenkins
The revelio
CLI tool
revelio
is a command-line tool that does the following things:
- When running in a public CI, generate a
revelio.json
file. - Verify a URL that contains a public
/.well-known/revelio.json
file.
For more details, see the revelio
CLI documentation.
FAQ
How do I use it for private repositories / private CI ?
The core idea behind this project is to bring trust through transparency. Therefore, it will only ever work with public repositories and public CI services.
License
Copyright (c) 2019 - present, François Best
Dependencies
~26–36MB
~627K SLoC