nobody/odyssey-challenge
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
Independent package verification for Odyssey Linux
2 commits 1 branch 0 tags 47 KiB
  • Shell 100%
Find a file
Exact
nobody 41bc8c86df Add GPLv3 license
2026-06-12 18:36:49 +01:00
LICENSE Add GPLv3 license 2026-06-12 18:36:49 +01:00
odyssey-challenge odyssey-challenge: independent package verification tool 2026-06-07 14:39:37 +01:00
README.md odyssey-challenge: independent package verification tool 2026-06-07 14:39:37 +01:00

README.md

odyssey-challenge

Independent verification for Odyssey Linux packages.

Odyssey is maintained by one anonymous person. You are not asked to trust that person: every package is built from a public recipe, the build is reproducible, and each package's hash is published in a signed manifest. This tool lets you check that for yourself — and, if you want, rebuild a package from source and confirm it produces the exact same hash.

What it does

Every Odyssey package has its SHA-256 recorded in a signed manifest published at https://repo.odysseylinux.org/odyssey-repo/x86_64/odyssey-challenge.json. The manifest is signed with the maintainer's cosign key and logged in Sigstore's public Rekor transparency log.

odyssey-challenge has two modes:

  • verify — for everyone. Downloads the signed manifest, verifies its signature, then checks that a package matches the published hash. Fast, no build toolchain required.
  • rebuild — for advanced users / independent rebuilders. Rebuilds the package from the public recipe and confirms the resulting hash matches the manifest, then produces a signed attestation of your own that you can publish alongside the manifest. This is how independent parties vouch for a build without anyone having to trust a single source.

Requirements

  • cosign, jq, curl, sha256sum (verify)
  • additionally xbps-src (a checked-out void-packages) and your own cosign key pair (rebuild)

You also need the maintainer's public key. Get it independently of the package repo — from the keys repository:

git clone https://code.odysseylinux.org/nobody/odyssey-keys

Verifying the manifest with a key fetched from the same server that serves the manifest would prove nothing. Use a key from a separate source.

Usage

Verify a package (normal users)

./odyssey-challenge verify PACKAGE --pubkey /path/to/cosign.pub

This downloads the package and the signed manifest, checks the manifest signature, and compares hashes. A green VERIFIED means the package is exactly what the maintainer signed.

To check a file you already have:

./odyssey-challenge verify PACKAGE --file ./PACKAGE.xbps --pubkey cosign.pub

Rebuild and attest (advanced)

Check out the matching recipe revision in your void-packages, then:

cosign generate-key-pair          # one time: your own rebuilder key
./odyssey-challenge rebuild PACKAGE \
    --rebuilder YOUR_HANDLE \
    --pubkey /path/to/maintainer-cosign.pub

This rebuilds the package, compares the hash to the signed manifest, and writes attestation-YOUR_HANDLE-PACKAGE.json plus a .cosign.bundle signed with your key. Publish both so others can see your independent result. The attestation records both hashes and whether they matched — a mismatch is just as public and just as verifiable as a match.

Trust model

The manifest is the maintainer's own signed statement. Rebuilder attestations are separate files, each signed by its own author — they are never written into the maintainer's manifest. Trust does not come from one party's word; it comes from independent signed statements that anyone can compare. A signature can't be forged without its key, and a record in Rekor can't be silently removed.

Acknowledgements

The approach is inspired by guix challenge from GNU Guix, and more broadly by the work of the Reproducible Builds project (reproducible-builds.org), which established independent rebuild verification as a standard across distributions.

License

Public domain / CC0. Verify freely.