I wonder if anyone did the research on this, but could we have signed build artifacts so that by checking the signature you know that the artifact A was built from the source B?
And through cryptomagic it could be verified without recompiling everything?
Conversation
Replying to
Little bit different, you cannot check to see if an artifact was intentionally changed with by the author.
You still need to trust the publisher. I want to be able without recompiling to validate a signature and no trust involved