Pinning Commitments

Commit Zero-Trust Integrity And Authenticity

We should list packages (especially open source to be able to pinpoint risky supply chains). We can do this by committing how they are linked and related to a Merkle tree.

Most people have a misconception that if the app or source code is available on the official site or store, e.g. of Google or Apple, then it has to be secure. However, that’s not the case. Recently there have been lots of incidents where applications on Google Play were found to contain malware and were spying, sniffing and stealing user data.

from typing import List
import typing
import hashlib
import matplotlib.pyplot as plt

class Node:
    def __init__(self, left, right, value: str)-> None:
        self.left: Node = left
        self.right: Node = right
        self.value = value

    @staticmethod
    def hash(val: str)-> str:
        return hashlib.sha256(val.encode('utf-8')).hexdigest()

    @staticmethod
    def doubleHash(val: str)-> str:
        return Node.hash(Node.hash(val))

class MerkleTree:
    def __init__(self, values: List[str])-> None:
        self.__buildTree(values)

    def __buildTree(self, values: List[str])-> None:
        leaves: List[Node] = [Node(None, None, Node.doubleHash(e)) for e in values]
        if len(leaves) % 2 == 1:
            leaves.append(leaves[-1:][0]) # duplicate last…