Andrew AyerNew blog post: I'm Independently Verifying Go's Reproducible Builds: https://www.agwa.name/blog/post/verifying_go_reproducible_builds
| Pronouns | He/him |
| Website | https://www.rgdd.se |
Rasmus Dahlberg
@rgdd
- 86 Followers
- 59 Following
- 76 Posts
Software engineer and computer scientist. Employed by Glasklar Teknik, a sister company of Mullvad VPN and Tillitis. Core member of the Tor project. Passionate about transparency logs, anonymity networks, and Linux.
Filippo ValsordaExtremely happy to see https://sourcespotter.com, a Go Checksum Database monitor and Go toolchain reproducer by @agwa.
These use the transparency logs we built into the Go supply chain to keep the Google-operated services honest.
You can check your local view of the sumdb matches Source Spotter's with this command:
curl --data-binary "@$(go env GOPATH)/pkg/sumdb/sum.golang.org/latest" https://gossip.api.sourcespotter.com/sum.golang.org
Built a couple tools to download historical Certificate Transparency logs into the Static CT format, and compress them into self-verifying zip files, each covering a subtree of height 24.
This will let us store these datasets at @internetarchive for future research.
Example archive: https://archive.org/details/ct_digicert_yeti2018
Mailing list discussion: https://groups.google.com/a/chromium.org/g/ct-policy/c/Y25hCTrCjDo/m/yrjDnX7IAQAJ
DigiCert Yeti2018 Log : Free Download, Borrow, and Streaming : Internet Archive
This is an archive of a Certificate Transparency log, stored in the c2sp.org/[email protected] format, although if this log was originally served through...
deadprogramJust released version 0.1 of TinyGo-TKey to develop apps for the Tillitis TKey-1 using TinyGo!
https://github.com/hybridgroup/tinygo-tkey
TKey-1 is an open source, open hardware FPGA-based USB security token from the awesome team at Tillitis:
https://tillitis.se/
Last week I discovered that DigiCert had disclosed the wrong certificate expiration range for two of their Certificate Transparency logs. They said the logs would accept certificates expiring before 2026-07-01. It was really 2026-07-07.
This wasn't a problem until GoDaddy started sending certificates expiring between 2026-07-01 and 2026-07-07 to these logs. The certificates are being rejected by Safari, which enforces the upper bound of 2026-07-01.
The logs have been reconfigured with an upper bound of 2026-07-01, but broken certs are still out there causing errors.
https://sslmate.com/blog/post/godaddy_issues_thousands_of_broken_certificates
This wasn't a problem until GoDaddy started sending certificates expiring between 2026-07-01 and 2026-07-07 to these logs. The certificates are being rejected by Safari, which enforces the upper bound of 2026-07-01.
The logs have been reconfigured with an upper bound of 2026-07-01, but broken certs are still out there causing errors.
https://sslmate.com/blog/post/godaddy_issues_thousands_of_broken_certificates
As excited about transparency logs as me? Don't miss the transparency.dev summit in Sweden, 20-22 October.
Interest survey: https://docs.google.com/forms/d/e/1FAIpQLSfabrC4JnWQCKGjPuHg4-kAua6Fe9wc0259IEn0pLTW1vAeOQ/viewform
Transparency.dev Summit 2025 - Interest Survey
We are planning the 2nd annual Transparency.dev Summit which takes place in Gothenburg, Sweden, on October 20-22, 2025. The summit is an opportunity for implementers, operators, and users of real world transparency systems to meet peers, share best practices, and learn about the latest developments in the community. In addition to a variety of transparency-log topics, the summit will feature dedicated sessions for the Certificate Transparency community (e.g., a colocated CT day style event). The purpose of this survey is to gauge interest in different topics from the community. Other than Certificate Transparency, the topics that are currently being considered are: Applications of Transparency - We're excited to have talks on existing and emerging use-cases: Binary Transparency - This is a broad umbrella where we focus on 2 aspects: Signature transparency logs such as Sigsum and Sigstore. Package index logs such as GoSumDB. Key Transparency - E.g., discussion of production deployments and open challenges. Other uses - Please do not feel limited if your application's umbrella is not listed here. Core Transparency Technology - Verifiable data structures are at the core of all transparency applications. Implementations of verifiable logs, maps, and adjacent technologies such as witnesses, verifiers, and monitors are for example in scope. Transparency Future Roadmap - What’s next for transparency? We’ll explore the roadmap ahead for various transparency technologies and standards. Let us know what topics you're missing or would be most interested in. Also let us know if you are interested in helping plan the summit. Please feel free to forward this interest survey to others in your organization that may be interested in contributing, e.g., by attending or giving a talk. Updates for the event will be shared on the Transparency.dev summit website, in the transparency-dev Slack (invite link), and via email. A call for presentations will be announced towards the end of May. Registration opens in July.
Very excited to submit the Tuscolo Certificate Transparency logs for inclusion today! 🧾🪵☀️
These logs are Sunlight-based, and operated by Geomys and Port 179 LTD on bare metal. They cost 50 times less than RFC 6962 logs in the cloud.
https://groups.google.com/a/chromium.org/g/ct-policy/c/KCzYEIIZSxg
I'll be at FOSDEM -- don't be a stranger if you see me. I'd love to say hello! 👋
Today's fun: check that @filippo is publishing all (signed) binary releases of age. Exactly what I would expect since I trust filippo -- but it never hurts to verify!
For the crude christmas prototype, see: https://git.glasklar.is/rgdd/age-release-verify
Was all you wanted for christmas a transparent ssh setup that lets you verify a user didn't run any inappropriate commands? If so I'm happy to wish you a merry christmas with this ssh+sigsum protoype: