Merkle Manifests: Why Build Servers Lie (How to Cryptographically Prove It)
Verifying CI/CD Artifacts Against Human-Signed Source Trees
Introduction: The Build Server Is Not a Source of Truth
Most CI/CD security models assume the build server is honest.
This is a dangerous assumption.
SolarWinds demonstrated that a build sy...
ktamarapalli.hashnode.dev4 min read