trustix - Build Authenticity with Decentralized Trust in Software Binaries

Trustix - A New Model for Nix Binary Substitutions

Trustix is an innovative tool designed to compare build outputs for the same input across several independent providers. Its primary aim is to establish trust in software binaries, making the software supply chain more secure.

Overview

In the modern digital world, we frequently rely on pre-built software binaries, trusting that they accurately reflect the intended program. However, there's no inherent guarantee that these binaries are genuinely derived from the program's original source code and proper build instructions. This lack of assurance can be exploited in supply chain attacks where malicious software is spread. To counter this, software is usually provided through centralized, highly secure distributors. Trustix, developed with support from an NGI0 PET grant, offers a novel, decentralized way of establishing trust in binaries. This approach enhances security and enables smaller providers to safely distribute software, offering users a greater variety of secure options.

Trustix is tailored specifically for use within the Nix ecosystem.

How does this Translate to Nix?

Within the Nix ecosystem, pre-built binaries are distributed by entities known as binary substituters. These entities, much like centralized caching systems, pose a single-point-of-failure risk in the trust chain when providing packages to users. This presents several issues:

If the NixOS Hydra build machines or their keys were compromised, attackers could release tampered builds to users. The setup of the Nix ecosystem prevents the use of rolling keys, meaning that a compromised key could jeopardize all packages in the cache. Fixing this would require rebuilding or removing the affected packages, which is resource-intensive.
The hardware used by NixOS Hydra to build binaries might also be deemed untrustworthy, particularly by users with a heightened focus on security.

Trustix Design

Trustix resolves these concerns through distributed trust and trust agility. It compares build outputs across various independent builders who log hash values of the input and output pairs of builds. The design involves:

Each builder having a public-private key pair
During a post-build process, the output hash (NAR hash) is uploaded to a ledger that serves as a signed, append-only log of build results.

This allows for trusting binary substitutions based on an M-of-N voting system among the builders.

For example, consider four builders: Alice, Bob, Chuck, and Dan. Trustix is set to trust a build if 3 out of the 4 builders agree. All builders claim to have built the hello derivative. Within the Trustix network, they communicate what they built and share hashes detailing the inputs and outputs of hello. If Alice, Bob, and Dan all produce the same output hash but Chuck has a different one, Trustix can:

Track how reproducible builds are across numerous builders.
Trust builds confirmed by a majority of builders.
Automatically flag and exclude builders like Chuck who return inconsistent results.

Related Projects

JFrog is exploring a similar concept with their code project and website.

Documentation

Trustix documentation is continuously built and made available on Github Pages.

Further Resources

To delve deeper into Trustix and its concepts, you can explore these resources:

The Trustix announcement post
Insights on the data structure used by Trustix
An article on how Trustix ensures decentralized trusted consensus
An overview of the Trustix project on the NGI0 PET grant page

About the Project

Trustix's development has been supported by Tweag I/O and financed by the NLNet foundation and the European Commission’s Next Generation Internet programme through the NGI Zero PET fund for privacy and trust-enhancing technologies.