Replies: 1 comment 1 reply
-
|
If you mean the integrity of the package, then a deterministic checksum of package content is calculated and signed over in every review, so anyone can compare if the content of the package is the same as was reviewers reviewed. Example. The checksum code is here: https://github.com/crev-dev/recursive-digest |
Beta Was this translation helpful? Give feedback.
1 reply
-
|
excellent, I had missed that. Thanks! |
Beta Was this translation helpful? Give feedback.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
I just came across crev, love the concepts, this looks great - thanks for the effort first of all!
I looked through the book but did not find anything about how cryptographic verification is done - the registry files referenced from registry.toml have neither signatures nor digests for the audited libraries.
Any pointer would be greatly appreciated.
Beta Was this translation helpful? Give feedback.
All reactions