Trusting Dependencies: On-Chain Integrity Check

[mario-eth]

Enhancing Dependency Integrity Verification

To ensure that the currently installed dependency is not malicious, we need an authoritative mechanism to verify that the dependency files are legitimate and have not been tampered with.

One solution is to implement a smart contract stored on-chain. This smart contract would serve as a consortium that publishes checksums after each version of a dependency is released.

For example, when OpenZeppelin publishes version 5.3.0, a checksum would be generated and submitted on-chain. This checksum would then serve as the source of truth in the integrity check process.

Challenges:

1. Approval of Checksums: The teams responsible for maintaining the on-chain integrity must approve the checksums. Without their approval, we cannot ensure the checksums' authenticity.
2. Collaboration: Soldeer aims to build and maintain this system but requires collaboration from all relevant teams to approve the checksums. Without their cooperation, the checksums provided by Soldeer cannot be fully trusted.

By addressing these challenges, we can create a robust system for verifying dependency integrity, ensuring that installed dependencies are secure and unaltered.

[wagmiwiz]

It would be great to find a way to check integrity of dependencies.

Feels like the first step is simply having signed checksums for popular libs as most don't do this afaik (?). The issue then becomes how teams manage key security but there are well known procedures for that.

[oed]

Another way to solve this would be to allow publishing of packages using your Eth address + ENS. Could be something simple as a specific TXT record in the ENS name. This record would simply contain a content-hash of the package. The cli tool could then allow you to upload the package data itself to soldeer. Ideally the data is formatted in a portable format, e.g. unixfs would allow the package to also be distributed over IPFS.