This is an example dashboard that shows how to use the "icetrust" tool for for verification of software downloads using checksums and/or PGP. Development of this project was prompted by the recent supply chain attack against codecov.io.
A scheduled Github action runs "icetrust" on regular intervals to download and verify projects. Those get committed back to Git, and picked up by GitHub pages. These projects were selected from the lists found in our "dont_curl_and_bash" project.
You can see the input/output files and Github actions here:
You can view this live at:
There is also an uptime-like status page available here:
To add a project, do the following:
- Add a new JSON file to the "/docs/data/input" folder.
- Run the test locally via the "/scripts/verify_all.sh" script.
- Add the project and its icon to the "sites" section of the ".upptimerc.yml" file found in the icecrust_uptime_example repo and point it back to the JSON output file here.
Please use the GitHub issue tracker to report issues or suggest features:
- Repo: https://github.com/nightwatchcybersecurity/icetrust_dashboard_example.
- Via email to research /at/ nightwatchcybersecurity [dot] com.
The "icetrust" source code can be found here:
- TBD