rebuilderd v0.25.0 - improved in-toto support

kpcyrd kpcyrd at archlinux.org
Thu Sep 25 19:47:36 UTC 2025


Dear list!

I don't blog often but published a brief writeup for the recent 
rebuilderd v0.25.0 release:

https://vulns.xyz/2025/09/rebuilderd-v0.25.0/

The code for in-toto attestations has been reworked and the instances 
now have a new endpoint that can be queried to fetch the list of 
public-keys an instance currently identifies with.

The endpoint looks like this:

https://reproducible.archlinux.org/api/v0/public-keys

All attestations now carry signatures from this long-term key.

This allows for "I have public-keys of 3 parties I selected (and trust 
to not collude), and if 2 of them cryptographically confirm they 
reproduced a binary package from source, I consider the package a-okay 
to use on my computers".

cheers,
kpcyrd


More information about the rb-general mailing list