Skip to content

Reproducible builds, code signing, and supply chain security #53

Open
Open
Reproducible builds, code signing, and supply chain security#53
@jeremymanning

Description

@jeremymanning
jeremymanning
opened on Apr 17, 2026

Description

Per spec T136 and whitepaper supply chain requirements:

  • Reproducible build configuration
  • Code-signing verification (agent refuses dispatch to unattested/unsigned agents)
  • Build provenance metadata (git commit, build timestamp) — partially in place via build.rs
  • Independent audit readiness for Phase 3

Requirements

  • Deterministic compilation producing identical binaries from same source
  • Ed25519 code signing for release binaries
  • Agent version verification on heartbeat (reject unknown versions)
  • Build provenance chain: source commit → CI build → signed artifact → distribution
  • Signer ≠ approver enforcement for release artifacts

Success Criteria

  • Two independent builds from same commit produce identical binary
  • Release binaries are Ed25519 signed
  • Agent rejects dispatch from unsigned/unattested peers
  • Build provenance metadata verifiable end-to-end
  • Signer ≠ approver enforced for release artifacts
  • Audit-ready documentation of supply chain

Testing (Principle V)

  • Build twice from same commit → verify identical output
  • Sign binary → distribute → verify signature on recipient
  • Deploy unsigned agent → verify cluster rejects it
  • Attempt same-identity sign + approve → verify rejected

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions