Paul MeyerApr 29

Reproducible builds are a valuable property for remote attestation workflows but often hard to maintain. We faced a special challenge building reproducible artifacts that contain signatures.

Together with @Euler I wrote a blog post about how we used ECDSA public key recovery to generate signatures that match exactly one artifact, can be reproduced by a verifier, and are secure, without anyone ever knowing a private key.

https://katexochen.aro.bz/posts/reproducible-secure-signatures/

#ReproducibleBuilds #RemoteAttestation #Cryptography #ConfidentialComputing #Infosec

Secure signatures without a private key

Reproducible builds allow anyone to verify that a binary matches its source code. But what if the build artifact must contain a cryptographic signature? Reproducing the signature requires the private key, which defeats the purpose of reproducibility. In this post, we present a technique based on ECDSA public key recovery that produces signatures which are both secure and fully reproducible, without anyone ever knowing a private key. Build artifacts with signatures - a reproducibility issue Remote attestation is a fundamental part of Confidential Computing. It can be used to prove what software is running in a remote environment. Users of such an attested environment do not need to trust the software vendor, excluding them from the trusted computing base1.

blog katexochen
Show threadEthan BlackApr 27

RE: https://fosstodon.org/@golemwire/116444607177916368

@Gina That's awful. They're trying to get people to use the LinkedIn mobile app for identity verification, which is really annoying as they're trying to take me from my open browser to a locked-down platform. ( #remoteAttestation , anyone?)

Ethan BlackApr 21

I see that #LinkedIn is trying to loop me into a locked-down platform. (No surprise, obviously, coming from #Microsoft ).

#remoteAttestation #platformDecay

Carlos SolísApr 9
To me, this clearly looks like #Valve is investing on #RemoteAttestation as an alternative to #KernelLevelAntiCheat : lists.archlinux.org/archives/l…
Update on Valve sponsored work in Q1 2026 - Arch-dev-public - lists.archlinux.org

Carlos SolísApr 9
To me, this clearly looks like #Valve is investing on #RemoteAttestation as an alternative to #KernelLevelAntiCheat : lists.archlinux.org/archives/l…
Update on Valve sponsored work in Q1 2026 - Arch-dev-public - lists.archlinux.org

Timothée RavierOct 2, 2025

The recording of my third talk with Pragyan and Vitaly at All Systems Go! about UKI, composefs and remote attestation for Bootable Containers is now available: https://app.media.ccc.de/v/all-systems-go-2025-362-uki-composefs-and-remote-attestation-for-bootable-containers

Slides: https://cfp.all-systems-go.io/media/all-systems-go-2025/submissions/TNKPQS/resources/2025_All_Systems_Go_-_UKI_composefs_and_r9Z95aW.pdf

#ASG2025 #AllSystemsGo #AllSystemsGo2025 #UKI #composefs #bootc #BootableContainers #RemoteAttestation

UKI, composefs and remote attestation for Bootable Containers

With Bootable Containers (bootc), we can place the operating system files inside a standard OCI container. This lets users modify the con...

Show threadCory DoctorowJan 18, 2024

That meant that programs on other computers could decide whether to talk to your computer based on whether they agreed with your choices about which code to run.

This process, called "#RemoteAttestation," is generally billed as a way to identify and block computers that have been compromised by malware, or to identify gamers who are running cheats and refuse to play with them.

9/

[nate@social0 ~]$ Nov 21, 2023

Achievement Unlocked:
Remote attestation with Keylime on RHEL. Whew!

#keylime #rhel #redhat #redhatenterpriselinux #remoteattestation #infosec #security

Gokul DasNov 18, 2023
You get subjected to draconian tech like #DRM, #TrustedComputing, #RemoteAttestation and #PartsPairing in the name of protecting IP. What about your IP? The code you write, the paintings you make and even your online comments get fed into #AI and reproduced wholly or in part elsewhere, in the name of #fairuse. What is common to these seemingly contradictory, if not hypocritical measures? Those who promote it have the money to deploy them in mass and fight you in court if you challenge them.
EFFAug 8, 2023

#RemoteAttestation and #WebEnvironmentIntegrity are abstract but it boils down to this: in a conflict between what you want your browser to do and what some website wants from it, you should win. It’s yours, what you say goes.

https://t.co/UCNtY3a27Y

#WEI #OpenWeb #NoWEI #DRM

🐦🔗: https://nitter.oksocial.net/eff/status/1689049096341135360

[2023/08/08 23:01]

OKSocial: Twitter