re: Can you prove the code in the repository isn't altered? VIEW POST


if you use GIT, you could try commit signing, or hash the tarball you release and make that public. those are among the most used methods I've seen so far.


Commit signing would only tell the world the code actually comes from me. And the tarball is just a downloadable from Github right? The actual code could still be modified before it actually arrives on the server.


You are correct. But I don't think there is a sure way of telling the users that what you are using is the exact copy of the code from a repo. Maybe package the app as a docker image and add the image ID on the page? Or, if you are using PHP, package it as a PHAR archive and add its checksum on the page. I'm not sure of the equivalent in other languages.

code of conduct - report abuse