>This feels like this might actually be a use-case for a blockchain or a Merkle Tree.
A few years ago, a similar idea for firmware binary security[0] had been explored by Google as a possible application of their Trillian[1] distributed ledger, which is based on Merkle Trees.
I don't know if they've advanced adoption of Trillian for firmware, however, the website lists Go packaging[2], Certificate Transparency[3], and SigStore[4] as current applications.
> Supply chain Levels for Software Artifacts, or SLSA (salsa), is a security framework, a check-list of standards and controls to prevent tampering, improve integrity, and secure packages and infrastructure in your projects, businesses or enterprises.
> SLSA defines an incrementally-adoptable set of levels which are defined in terms of increasing compliance and assurance. SLSA levels are like a common language to talk about how secure software, supply chains and their component parts really are.
Trillian was already the name for a distributed system - an instant-messaging app. I used to use it around a decade ago. Seems like they still exist, but have pivoted into enshittification (it's an Electron app now, and you have to buy a subscription for chat history and read receipts).
A few years ago, a similar idea for firmware binary security[0] had been explored by Google as a possible application of their Trillian[1] distributed ledger, which is based on Merkle Trees.
I don't know if they've advanced adoption of Trillian for firmware, however, the website lists Go packaging[2], Certificate Transparency[3], and SigStore[4] as current applications.
[0] https://github.com/google/trillian-examples/tree/master/bina...
[1] https://transparency.dev/
[2] https://go.googlesource.com/proposal/+/master/design/25530-s...
[3] https://certificate.transparency.dev/
[4] https://www.sigstore.dev/