aboutsummaryrefslogtreecommitdiff

sdbv

Resources:

  • https://research.swtch.com/tlog
  • https://sum.golang.org/
  • https://go.googlesource.com/proposal/+/master/design/25530-sumdb.md
  • https://github.com/crtsh/ct_monitor/blob/master/ct_monitor.go
  • https://tools.ietf.org/html/rfc6962#section-2.1

Go Checksum DB verifier, helps you prove that a checksum database is trustworthy.

Cryptographically prove that the current checksum database is a superset of a previous database. This prevents a checksum database from silently modifying checksums and simply recomputing its Merkle tree.

To do this, we need to periodically check for the latest tree head and prove that the previous tree head is contained within the new tree.

GET $GOSUMDB/lookup/M@V returns the 1) record # of the module version, 2) its go.sum lines, and 3) a tree head

GET $GOSUMDB/tile/H/L/K[.p/W] GET $GOSUMDB/tile/H/data/K[.p/W] returns record data GET $GOSUMDB/latest returns the latest signed tree head for a log

$GOSUMDB/lookup/go.dog/breeds@v0.3.2

9 go.dog/breeds v0.3.2 go.dog/breeds v0.3.2/go.mod

$GOSUMDB/tile/8/0/005 $GOSUMDB/tile/8/1/000.p/59

The Go checksum database will run at https://sum.golang.org/ and serve the following endpoints:

/latest will serve a signed tree size and hash for the latest log.

/lookup/M@V will serve the log record number for the entry about module M

version V, followed by the data for the record (that is, the go.sum lines for module M version V) and a signed tree hash for a tree that contains the record. If the module version is not yet recorded in the log, the notary will try to fetch it before replying. Note that the data should never be used without first authenticating it against the signed tree hash and authenticating the signed tree hash against the client's timeline of signed tree hashes.

/tile/H/L/K[.p/W] will serve a log tile. The optional .p/W suffix indicates

a partial log tile with only W hashes. Clients must fall back to fetching the full tile if a partial tile is not found. The record data for the leaf hashes in /tile/H/0/K[.p/W] are served as /tile/H/data/K[.p/W] (with a literal data path element).

Clients are expected to use /lookup and /tile/H/L/... during normal operations, while auditors will want to use /latest and /tile/H/data/.... A special go command may also fetch /latest to force incorporation of that signed tree head into the local timeline.

A module proxy can also proxy requests to the checksum database. The general proxy URL form is /sumdb/. If GOPROXY=https://proxy.site then the latest signed tree would be fetched using https://proxy.site/sumdb/sum.golang.org/latest. Including the full database URL allows a transition to a new database log, such as sum.golang.org/v2.

Known key: sum.golang.org+033de0ae+Ac4zctda0e5eza+HJyk9SxEdh+s3Ux18htTTAD8OuAn8

generated by cgit v1.2.3 (git 2.25.1) at 2024-04-19 13:28:58 +0000