In the current technological landscape, there's a glaring absence of mechanisms to verify that an executable file has been compiled from a specific source code. This gap poses significant challenges in terms of security, transparency, and trust, as there is no definitive way to prove the authenticity of the compiled software.
To address this issue, we are introducing a method that involves standardizing the compilation process within an enclave environment. An enclave is a protected, isolated area of execution, where code can be run in confidentiality and integrity, safeguarded from potential tampering or unauthorized access.
- Apply for a nitro enclave machine on AWS.
- Configure the GitHub runner:
2.1. Settings → Actions → Runners → New self-hosted runner
2.2. Follow the instructions to configure the GitHub Runner - Download the Software Build Attestation Image.
- Download the Attestation Build Tool.
Create build_attestation.yml under the project's .github/workflow directory
name: Software Build Attestation
on:
release:
types: [published]
jobs:
build:
permissions: write-all
runs-on: [self-hosted]
steps:
- name: Checkout
uses: actions/checkout@v2
- name: Build
run: |
tee-compile build -output release.tar -nitro ~/ata-build-rust-latest.eif
- name: Release
uses: softprops/action-gh-release@v1
with:
files: release.tar
Create the build.json file in the project.
{
"language": "rust",
"input": {
"cmd": "./scripts/build.sh",
"vendor": "./scripts/vendor.sh"
},
"output": {
"files": [
"target/release/binary",
]
}
}
Before You Contribute:
- Raise an Issue: If you find a bug or wish to suggest a feature, please open an issue first to discuss it. Detail the bug or feature so we understand your intention.
- Pull Requests (PR): Before submitting a PR, ensure:
- Your contribution successfully builds.
- It includes tests, if applicable.
Apache