0

Is there a mechnism that can ensure a deployment (server that can give https responses) is built from the actual (public) sourcecode provided by another https URL?

sourcecode

from commit #10020 at https://git.localhost/ (contains a file with a signed message?)

deployment

using the sourecode commit #10020 at https://app.localhost/ ...provides signed response header like X-Hash: 1123123abcdef312 and X-Signature: 987987978978879 ??

Considering all https certificates are valid and there is no tls mitm happening from outside the domain(s), is there a way to prove the link between source and output?

Daniel W.
  • 267
  • 2
  • 10

1 Answers1

2

It is impossible to prove that a specific output was created by a specific implementation just by looking at the output since there are unlimited possible implementations to create the same output. Use of HTTPS does not help here since HTTPS only protects the communication itself. It does not include a signature of the code creating the output or similar.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424