Rasmus Dahlberg via Sigsum-general sigsum-general@lists.sigsum.org writes:
I extrapolated a README from the below, see:
I was inspired by that concept:
https://gitlab.com/debdistutils/sigsum-artifact-reproducer
It is a monitor track what my release SSH key has signed, and (hopefully) to continously over the coming years attempt to reproduce those release artifacts from git repository content.
There is one job "no-hidden-releases" that runs sigsum-monitor and looks for things signed by my SSH key. The job will fail if there are any unknown checksums in the log, suggesting existance of "hidden releases".
There are jobs "libtasn1-v4.20.0" and "inetutils-v2.6" that rebuild from git the release artifacts and compare those checksums with what's stored in the Sigsum log. The scripts to reproduce the artifacts should work in any encironment that has Guix for time travelling, and common tools like 'xxd', 'sha256sum' etc.
This is designed differently than your project above, and it isn't really a third-party monitor since someone other than me would have to audit the code and run it. But it is quite small and easy to audit.
This is designed on a per-user/key perspective rather than per-project perspective. I'm not sure how a monitor for a single project with releases signed by multiple people would look like, since those people could also sign other unrelated artifacts. Maintaining distinct per-user per-project private keys sounds horrible to me, but I would prefer the concept of a "project-specific" release artifact monitor rather than it being "maintainer-specific".
/Simon