Walletwasabi: Implement Code Chain review process

We are constantly adding more and more administration around what gets into the master (for example at the beginning I was just pushing code to the master, didn't have CI, nor regtest, etc...)

But this is overkill at this point.

Btw the usefulness in signing of individual commits is highly debated.

Not sure if anything can be "overkill" in regards to software review and verification of a Bitcoin wallet.
And afaik, this would only include a chain of signatures in a file in the repo. In this sense it's a protocol similar to git, and it runs alongside it.

The attack is not hypothetical, at all!! There are already phising sites with wrong builds. Not a big step to introduce malicious commits...

I am very much in favor of at least strongly considering the integration.

The attack is not hypothetical, at all!! There are already phising sites with wrong builds. Not a big step to introduce malicious commits...

I review every commit. PGP doesn't do any good for this.

But I don't know that you did!

Withe code chain, every user knows that every commit was verified by for example 2/3 @nopara73 @lontivero @molnard.
For the user this is one single verification, might even be done automatically before the start of wasabi or something.

Smuggler summarizes it well in this tweet thread

You need one root of trust establishment, which means knowing any previously valid head of the codechain and trusting it. Afterwards the codechain verifies that the repo contains a valid codechain that covers the repo. For root of trust there is the optional of manual or DNSSec. One should keep the scenario in mind for which codechain was built. The main objective is to prevent insider attacks on code development, and to manage secure updates of software. It is to prevent outside coercion from being effective against code&infrastructure we work on.

Just to clarify, Codechain doesn't have anything to do with PGP and you do not sign every commit. It is orthogonal to Git. What you sign is releases (however you define that) and it let's you review and sign the diff between the last release and the new one. It really makes sense if you have more than one person reviewing and signing code, in order to prevent forced (as in $5 wrench attack) code updates.

But your call, I have no stakes in you using it.

Yes, thanks for the correction Frank! Though I think it would be possible for the devs to sign every commit [as is done already], and then use code chain for the review and merge? This would combine verification of the commit developer with the verification of review.

Here is a detailed walk-through of the protocol.

I'm re-opening this issue because I really think that this is a smart choice to use for secure code signing. To summarize the main advantages I see:

• One single source of truth: we know every user has the same software, no targeted back-doors.
• Threshold review signatures: proof that 2-of-3 David, Lucas, Nopara [or others] have reviewed and agree to the code changes, no rogue dev.
• Key rotation: when new reviewers join, or existing leave, or keys get compromised, it is easy to rotate singing keys.
• One process: the same signing protocol can be used on two different chains, one for the master branch, one for the release builds.
• No backdating: the unmodifiable hashchain protects against the signing of arbitrary changes to a package after the fact.
• Easy to use: although it's a new flow, for users it is only one command to verify and update the code, it's not worse than PGP.
• Cross plattform: just like Wasabi, CodeChain can be used on any plattform.
• Minimal codebase: written in Go, the codebase is minimal and without many dependencies.

This has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

Although codechain is a lovely tool, it seems there's no consensus to implement it.

I'll review any effort to do so though.

Closing for now.