README
¶
Trillian examples
This repository contains example applications built on top of Trillian, showing that it's possible to apply transparency concepts to problems other than certificates. It also contains general-purpose components that can be used to strengthen the guarantees of a transparent ecosystem that already contains verifiable logs.
Currently the examples here are:
- binary_transparency/firmware: A demo showing how to apply transparency bring discoverability to device firmware updates, but the principles are also more generally applicable to all kinds of binaries/updates.
- helloworld: A simple example demonstrating the correct configuration of a Trillian log, personality, and client.
- sumdbaudit: Demonstration of an auditor for the GoLang SumDB module proxy, which clones a log and verifies the data in it.
The general-purpose components are:
- serverless: A suite of command-line tools for managing transparency logs whose state is entirely composed of on-disk files, along with examples of how to use GitHub/GitHub Actions to host & publicly serve the log.
Notable projects that have graduated from this repository to their own top-level repositories:
There are two experimental deployments of the witness that have been deleted but
are signposted here for archival reasons. Both of these tools can be retrieved
by cloning this repository at git commit 793dcf1:
These examples and components are not supported per-se, but the Trillian team will likely try to help where possible. You can contact them via the channels listed under Support on the Trillian repo.
Directories
¶
| Path | Synopsis |
|---|---|
|
binary_transparency
|
|
|
firmware/cmd/emulator/dummy
dummy_emu is an "emulator" for the dummy device.
|
dummy_emu is an "emulator" for the dummy device. |
|
firmware/cmd/emulator/dummy/impl
Package impl is the implementation of the emulator for the dummy device.
|
Package impl is the implementation of the emulator for the dummy device. |
|
firmware/cmd/flash_tool
flash_tool is a util to flash firmware update packages created by the publisher tool onto devices.
|
flash_tool is a util to flash firmware update packages created by the publisher tool onto devices. |
|
firmware/cmd/flash_tool/impl
Package impl is the implementation of a util to flash firmware update packages created by the publisher tool onto devices.
|
Package impl is the implementation of a util to flash firmware update packages created by the publisher tool onto devices. |
|
firmware/cmd/ft_monitor
This package is the entrypoint for the Firmware Transparency monitor.
|
This package is the entrypoint for the Firmware Transparency monitor. |
|
firmware/cmd/ft_monitor/impl
Package impl is the implementation of the Firmware Transparency monitor.
|
Package impl is the implementation of the Firmware Transparency monitor. |
|
firmware/cmd/ft_personality
This package is the entrypoint for the Firmware Transparency personality server.
|
This package is the entrypoint for the Firmware Transparency personality server. |
|
firmware/cmd/ft_personality/impl
Package impl is the implementation of the Firmware Transparency personality server.
|
Package impl is the implementation of the Firmware Transparency personality server. |
|
firmware/cmd/ft_personality/internal/cas
Package cas contains a Content Addressable Store.
|
Package cas contains a Content Addressable Store. |
|
firmware/cmd/ft_personality/internal/http
Package http contains private implementation details for the FirmwareTransparency personality server.
|
Package http contains private implementation details for the FirmwareTransparency personality server. |
|
firmware/cmd/ft_personality/internal/trees
Package trees contains the personality tree configuration.
|
Package trees contains the personality tree configuration. |
|
firmware/cmd/ft_personality/internal/trillian
Package trillian represents the log for the needs of this personality.
|
Package trillian represents the log for the needs of this personality. |
|
firmware/cmd/ft_witness
This package is the entrypoint for the Firmware Transparency witness server.
|
This package is the entrypoint for the Firmware Transparency witness server. |
|
firmware/cmd/ft_witness/impl
Package impl is the implementation of the Firmware Transparency witness server.
|
Package impl is the implementation of the Firmware Transparency witness server. |
|
firmware/cmd/ft_witness/internal/http
Package http contains private implementation details for the FirmwareTransparency witness.
|
Package http contains private implementation details for the FirmwareTransparency witness. |
|
firmware/cmd/ft_witness/internal/ws
Package ws contains a Witness Store backed by a file.
|
Package ws contains a Witness Store backed by a file. |
|
firmware/cmd/ftmap
map constructs a verifiable map from the firmware in the FT log.
|
map constructs a verifiable map from the firmware in the FT log. |
|
firmware/cmd/ftmapserver
This package is the entrypoint for the Firmware Transparency map server.
|
This package is the entrypoint for the Firmware Transparency map server. |
|
firmware/cmd/ftmapserver/impl
Package impl is the implementation of the Firmware Transparency map server.
|
Package impl is the implementation of the Firmware Transparency map server. |
|
firmware/cmd/hacker/modify_bundle
modify_bundle is a hacker tool for modifying proof bundles.
|
modify_bundle is a hacker tool for modifying proof bundles. |
|
firmware/cmd/hacker/modify_bundle/impl
Package impl is the implementation of a hacker tool for modifying proof bundles.
|
Package impl is the implementation of a hacker tool for modifying proof bundles. |
|
firmware/cmd/publisher
publish is a demo tool to put firmware metadata into the log.
|
publish is a demo tool to put firmware metadata into the log. |
|
firmware/cmd/publisher/impl
Package impl is a the implementation of a tool to put firmware metadata into the log.
|
Package impl is a the implementation of a tool to put firmware metadata into the log. |
|
firmware/devices/dummy
Package dummy provides a fake device to demo flashing firmware.
|
Package dummy provides a fake device to demo flashing firmware. |
|
firmware/devices/usbarmory/flash
Package flash holds code to deal with the USB armory SD card storage.
|
Package flash holds code to deal with the USB armory SD card storage. |
|
firmware/internal/ftmap
Package ftmap contains Beam pipeline library functions for the FT verifiable map.
|
Package ftmap contains Beam pipeline library functions for the FT verifiable map. |
|
firmware/internal/verify
Package verify holds helpers for validating the correctness of various artifacts and proofs used in the system.
|
Package verify holds helpers for validating the correctness of various artifacts and proofs used in the system. |
|
clone
|
|
|
cmd/ctclone
ctclone is a one-shot tool for downloading entries from a CT log.
|
ctclone is a one-shot tool for downloading entries from a CT log. |
|
cmd/ctverify
ctverify checks that leaf data downloaded by ctclone is committed to by a checkpoint.
|
ctverify checks that leaf data downloaded by ctclone is committed to by a checkpoint. |
|
cmd/serverlessclone
serverlessclone is a one-shot tool for downloading entries from an HTTP(s) exposed transparency log generated by the serverless tooling.
|
serverlessclone is a one-shot tool for downloading entries from an HTTP(s) exposed transparency log generated by the serverless tooling. |
|
cmd/sumdbclone
sumdbclone is a one-shot tool for downloading entries from sum.golang.org.
|
sumdbclone is a one-shot tool for downloading entries from sum.golang.org. |
|
cmd/sumdbclone/internal/client
Package client contains a basic client for the SumDB log.
|
Package client contains a basic client for the SumDB log. |
|
cmd/sumdbverify
verify checks that a cloned SumDB log does not contain any conflicting entries.
|
verify checks that a cloned SumDB log does not contain any conflicting entries. |
|
internal/cloner
Package cloner contains the core engine for quickly downloading leaves and adding them to the database.
|
Package cloner contains the core engine for quickly downloading leaves and adding them to the database. |
|
internal/download
Package download contains a library for downloading data from logs.
|
Package download contains a library for downloading data from logs. |
|
internal/verify
Package verify supports verification that the downloaded contents match the root hash commitment made in a log checkpoint.
|
Package verify supports verification that the downloaded contents match the root hash commitment made in a log checkpoint. |
|
logdb
Package logdb contains read/write access to the locally cloned data.
|
Package logdb contains read/write access to the locally cloned data. |
|
experimental
|
|
|
batchmap/ctmap/cmd/build
build is a tool to build a map from a given clone of a log.
|
build is a tool to build a map from a given clone of a log. |
|
batchmap/ctmap/internal/pipeline
Package pipeline contains Beam pipeline library functions for the CT verifiable map.
|
Package pipeline contains Beam pipeline library functions for the CT verifiable map. |
|
batchmap/sumdb/build
map constructs a verifiable map from the modules in Go SumDB.
|
map constructs a verifiable map from the modules in Go SumDB. |
|
batchmap/sumdb/build/pipeline
Package pipeline contains Beam pipeline library functions for the SumDB verifiable map.
|
Package pipeline contains Beam pipeline library functions for the SumDB verifiable map. |
|
batchmap/sumdb/verification
Package verification contains verifiers for clients of the map to confirm entries are committed to.
|
Package verification contains verifiers for clients of the map to confirm entries are committed to. |
|
batchmap/sumdb/verify
verify confirms that all of the entries in a go.sum file are committed to by the verifiable map created in this demo.
|
verify confirms that all of the entries in a go.sum file are committed to by the verifiable map created in this demo. |
|
batchmap/sumdb/versions
versions lists the versions for a module and verifies this in the map.
|
versions lists the versions for a module and verifies this in the map. |
|
formats
|
|
|
checkpoints
Package checkpoints provides functionality for handling checkpoints.
|
Package checkpoints provides functionality for handling checkpoints. |
|
Package helloworld runs a simple client, designed to interact with a personality.
|
Package helloworld runs a simple client, designed to interact with a personality. |
|
personality
Package personality runs a simple Trillian personality.
|
Package personality runs a simple Trillian personality. |
|
internal
|
|
|
github
Package github contains libraries for using github repositories that make serverless operations easy to follow.
|
Package github contains libraries for using github repositories that make serverless operations easy to follow. |
|
note
Package note provides note-compatible signature verifiers.
|
Package note provides note-compatible signature verifiers. |
|
serverless
|
|
|
cmd/clone2serverless
clone2serverless is a one-shot tool that creates a tile-based (serverless) log on disk from the contents of a cloned DB.
|
clone2serverless is a one-shot tool that creates a tile-based (serverless) log on disk from the contents of a cloned DB. |
|
cmd/clone2serverless/internal/storage/fs
Package fs provides a simple filesystem log storage implementation.
|
Package fs provides a simple filesystem log storage implementation. |
Click to show internal directories.
Click to hide internal directories.