Dear list!
I don't blog often but published a brief writeup for the recent
rebuilderd v0.25.0 release:
https://vulns.xyz/2025/09/rebuilderd-v0.25.0/
The code for in-toto attestations has been reworked and the instances
now have a new endpoint that can be queried to fetch the list of
public-keys an instance currently identifies with.
The endpoint looks like this:
https://reproducible.archlinux.org/api/v0/public-keys
All attestations now carry signatures from this long-term key.
This allows for "I have public-keys of 3 parties I selected (and trust
to not collude), and if 2 of them cryptographically confirm they
reproduced a binary package from source, I consider the package a-okay
to use on my computers".
cheers,
kpcyrd
