# gitGost Verification

## Currently Deployed Commit



Full source: https://gitgost.leapcell.app/health

## Independent Third-Party Verification (no trust in operator required)

The CI pipeline signs every build via Sigstore (Rekor transparency log).
These records are IMMUTABLE and controlled by neither gitGost nor Leapcell.

### 1. GitHub Attestations (easiest)

Every build on main generates a cryptographic attestation via actions/attest-build-provenance.
The attestation is anchored in Sigstore's public transparency log.

```bash
# Requires GitHub CLI (gh)
curl -o gitgost-server https://gitgost.leapcell.app/gitgost-bin
gh attestation verify gitgost-server --repo livrasand/gitGost
# Expected: ✓ Verification succeeded
```

Browse all attestations: https://github.com/livrasand/gitGost/attestations

### 2. Sigstore / Rekor Transparency Log (independent)

The build provenance is recorded in Rekor, a public append-only log auditable by anyone.
No operator action can remove or alter it.

Search for this commit's entry:
  https://search.sigstore.dev/?hash=

Rekor API (raw):
  https://rekor.sigstore.dev/api/v1/log/entries?logIndex=0&limit=1&search=

### 3. Source Code Verification (always available)

Confirm that the deployed commit exists and is public on GitHub:

```bash
# 1. Get the deployed commit
curl https://gitgost.leapcell.app/health
# → {"deployedCommit": "", ...}

# 2. Verify the commit exists in the public repo
# Visit: https://github.com/livrasand/gitGost/commit/
```

If the commit exists on GitHub → the running code is 100% auditable.

### 4. Local Binary Rebuild (deepest verification)

Reproduce the exact binary with the same environment used in CI (Linux amd64, CGO disabled):

```bash
# Requires Docker
git clone https://github.com/livrasand/gitGost
cd gitGost
git checkout 

docker run --rm \
  -v "$(pwd)":/src \
  -w /src \
  -e CGO_ENABLED=0 \
  -e GOOS=linux \
  -e GOARCH=amd64 \
  golang:alpine \
  go build -trimpath \
    -ldflags="-s -w -X 'github.com/livrasand/gitGost/internal/http.commitHash='" \
    -o gitgost-local ./cmd/server

curl -o gitgost-server https://gitgost.leapcell.app/gitgost-bin
sha256sum gitgost-local gitgost-server
# Hashes must be identical
```

Note: -trimpath and identical ldflags are required for reproducibility.
Compiling on macOS produces a different binary due to OS/arch differences.

## Known Limitation

Binary verification confirms the binary on disk matches the source.
It cannot cryptographically prove the running process in Leapcell's environment
has not been patched in memory. This is an inherent limit of any hosted service.
If this threat model is unacceptable, self-host gitGost: it is fully open source.

## Complete Source Code

https://github.com/livrasand/gitGost

## Security

This endpoint exposes only public data: commit hash and repository URL.
It does not expose environment variables, tokens, keys, or internal configuration.