@kushal @securedrop Sounds good. It’s roughly what we do for Freenet, though there it’s done by gradle witness — and we have a script that can disassemble the release jars and check them against a local build, and the script ignores timestamps: github.com/freenet/scripts/blo

Though nowadays I would prefer to use a Guix setup for this.

Sign in to participate in the conversation

The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!