[rb-general] [jvm] How to share rebuilder attestations

Arnout Engelen arnout at bzzt.net
Mon Jan 7 12:18:54 CET 2019

On Mon, Jan 7, 2019 at 9:27 AM Hervé Boutemy <hboutemy at apache.org> wrote:
> <snip>

Agreed with basically everything above ;)

> > - What exactly gets PGP-signed?  (The binary artifact?  The buildinfo?
> >   If the latter, how does one then establish trust in the binary
> >   artifact?)
> good question:
> the rebuilders's buildinfo, for sure, gets signed by the rebuilder
> Signing the binary artifact could make sense, but the workflow for that may
> not be easy...
> Signing the original buildinfo file to me does not really make sense: if we
> sign an existing file, IMHO it's better to go with the binary artifact

I agree the rebuilder should sign his own buildinfo.

Since the buildinfo contains the hashes of the binary artifacts, it doesn't
seem necessary to also sign the binary artifacts themselves

Kind regards,


More information about the rb-general mailing list