pith. sign in

arxiv: 2605.21089 · v1 · pith:QGRR3DAZnew · submitted 2026-05-20 · 💻 cs.CR

An Evidence-driven Protocol for Trustworthy CI Pipelines

Fernando Castillo , Eduardo Brito , Pille Pullonen-Raudvere , Sebastian Werner , Stefan Tai This is my paper

Pith reviewed 2026-05-21 04:09 UTC · model grok-4.3

classification 💻 cs.CR
keywords continuous integrationtrusted execution environmentssoftware supply chaindeterministic buildscryptographic attestationartifact verificationintegrity guarantees
0
0 comments X

The pith

A protocol binds deterministic builds to trusted hardware attestations so consumers can verify CI artifacts with signatures instead of re-running builds.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper establishes a method for continuous integration pipelines that combines deterministic build systems with trusted execution environments to generate cryptographically verifiable evidence for software artifacts. A sympathetic reader would care because current supply chains force every downstream user to repeat expensive builds and tests to confirm integrity and provenance, creating both a performance bottleneck and lingering trust gaps. If the protocol works, verification shrinks to lightweight signature and policy checks while still providing guarantees of integrity, authenticity, and attestation across distributed environments. The approach formalizes an evidence life cycle that records and binds each step so that implicit trust in the build infrastructure is replaced by explicit cryptographic proof.

Core claim

By binding deterministic builds with TEE-based attestations, the protocol creates a verifiable evidence life cycle that delivers cryptographic guarantees of integrity, authenticity, and attestation for CI artifacts. Consumers therefore obtain the same assurances that would come from re-executing the entire pipeline, yet incur only the cost of signature and policy validation. A practical implementation using a deterministic build system and a modern TEE demonstrates that the initial overhead of attestation is amortized across many verifiers.

What carries the argument

The evidence-driven protocol that formally binds each deterministic build step to a TEE attestation and maintains the resulting evidence life cycle.

If this is right

  • Verification of CI artifacts reduces from full re-execution to signature and policy checks.
  • Implicit trust assumptions in distributed build infrastructure are replaced by cryptographic evidence.
  • Initial attestation costs are paid once and then amortized across all downstream consumers.
  • Software supply chains gain scalable, verifiable provenance without requiring every party to rebuild.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • The same binding technique could apply to other deterministic build systems if the TEE interface remains stable.
  • Policy checks could be extended to include supply-chain rules such as allowed compiler versions or dependency hashes.
  • An independent audit of the evidence life cycle might reveal whether attestation logs themselves need additional protection.

Load-bearing premise

The chosen trusted execution environment and deterministic build system can be combined without creating new attack surfaces or attestation failures that would break the evidence chain.

What would settle it

A demonstration that a malicious actor can produce a tampered artifact that still passes the signature and policy checks because the TEE attestation or the binding step was subverted.

Figures

Figures reproduced from arXiv: 2605.21089 by Eduardo Brito, Fernando Castillo, Pille Pullonen-Raudvere, Sebastian Werner, Stefan Tai.

Figure 1
Figure 1. Figure 1: Diagram of Trust Mechanisms in a CI Pipeline M1 - Secure Workflow and Orchestration Engines: Modern software development and deployment pipelines rely on complex workflows composed of interdependent tasks that execute in a predefined sequence. Workflow engines programmatically control these processes using a directed acyclic graph (DAG) structure, where nodes represent tasks and edges define dependencies. … view at source ↗
Figure 2
Figure 2. Figure 2: Evidence-driven Trustworthy CI Pipeline Implementation. 6.1 Workflow Orchestration The pipeline is built around GitLab, which serves as the central VCS. The pipeline execution is triggered by events like commit pushes or merge requests. Every commit is authenticated through developer-signed commits, ensuring that only trusted identities can introduce changes. Argo Workflows is employed for orchestrating th… view at source ↗
Figure 3
Figure 3. Figure 3: Argo Workflow example pipeline, as YAML file on the left, comprising one TEE-based task, labeled via the 𝑟𝑢𝑛𝑡𝑖𝑚𝑒𝐶𝑙𝑎𝑠𝑠𝑁𝑎𝑚𝑒 attribute as running inside an Intel TDX VM, and its execution and visualization on the right. build instructions in a declarative format, ensuring that every build is reproducible, enabling any stakeholder to independently verify the results. The Nix script running inside the TEE VM au… view at source ↗
Figure 4
Figure 4. Figure 4: Scaling of CI execution, CPU, and memory usage over time, for a growth rate of 10 consumers per month and a new release every month. The nature and size of the code base remained approximately constant. The Execution times have their scale on the left axis, while CPU and Memory usage have their scale on the right axis. To validate threat mitigation, we simulated S1 by attempting to modify a build script af… view at source ↗
read the original abstract

Enterprise software supply chains are increasingly vulnerable to infrastructure attacks, resulting in financial and reputational damage. Ensuring the integrity and provenance of software artifacts remains a significant challenge, where re-execution of the build and tests by every consumer to guarantee provenance produces a verification bottleneck and credibility reduction. This paper presents an evidence-driven protocol for trustworthy Continuous Integration (CI) pipelines that combines Deterministic Build Systems (DBS) with Trusted Execution Environments (TEEs). The approach provides cryptographically verifiable guarantees of integrity, authenticity, and attestation for CI artifacts in distributed environments, reducing implicit trust without requiring costly re-execution by consumers. We introduce a protocol that binds deterministic builds with TEE-based attestations, formalizing the evidence life cycle, together with a practical implementation using Nix and Intel TDX. Experimental results show that artifact verification is reduced from redundant computation to lightweight signature and policy checks. These findings demonstrate that evidence-driven CI pipelines establish scalable and verifiable trust in digital infrastructure, effectively amortizing the initial computational overhead introduced by TEEs.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

2 major / 2 minor

Summary. The paper proposes an evidence-driven protocol for trustworthy CI pipelines that integrates deterministic build systems (DBS) such as Nix with trusted execution environments (TEEs) such as Intel TDX. It formalizes an evidence life cycle that binds deterministic build artifacts to TEE attestations, providing cryptographically verifiable guarantees of integrity, authenticity, and provenance. The central claim is that this reduces consumer-side verification from full re-execution to lightweight signature and policy checks, with a practical implementation and experiments demonstrating the approach in distributed environments.

Significance. If the binding between Nix build hashes and TEE measurements can be shown to be complete, the work would meaningfully advance software supply-chain security by amortizing TEE overhead and eliminating redundant verification. The combination of DBS determinism with hardware attestation addresses a practical pain point in CI trust, and the experimental reduction to signature checks (if robust) would support scalable adoption.

major comments (2)
  1. [§4.2] §4.2 (Evidence Binding): The formalization of the evidence life cycle does not demonstrate that every Nix store path, external fetch, and runtime configuration is measured inside the TEE quote. Without this, an unmeasured component could be altered while the attestation still verifies, directly undermining the claim that verification reduces to signature checks.
  2. [§6] §6 (Experimental Evaluation): The reported performance results compare verification times but do not include adversarial test cases exercising side-channel leakage or incomplete measurement of build inputs; this leaves the central guarantee of 'cryptographically verifiable integrity' without direct empirical support.
minor comments (2)
  1. [§3] The notation for the evidence tuple in §3 could be clarified with an explicit mapping to the TEE quote fields used in the Intel TDX implementation.
  2. [Figure 3] Figure 3 (attestation flow) would benefit from labeling the exact points at which Nix derivations are hashed and bound to the quote.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for their constructive comments on our manuscript. These observations help clarify the requirements for demonstrating complete evidence binding and strengthening the empirical support for our claims. We address each point below and outline the revisions we will make.

read point-by-point responses

  1. Referee: [§4.2] §4.2 (Evidence Binding): The formalization of the evidence life cycle does not demonstrate that every Nix store path, external fetch, and runtime configuration is measured inside the TEE quote. Without this, an unmeasured component could be altered while the attestation still verifies, directly undermining the claim that verification reduces to signature checks.

    Authors: We agree that explicit demonstration of completeness is necessary. In the current formalization of Section 4.2, the TEE quote is defined to capture the root hash of the Nix store closure for a given derivation, which by construction of deterministic builds includes all store paths, external fetches (via fixed-output derivations), and runtime configurations. To remove any ambiguity, we will revise §4.2 to add an explicit mapping and a short inductive argument showing that every input component is incorporated into the attested measurement. This will directly support the reduction of consumer verification to signature and policy checks. revision: yes

  2. Referee: [§6] §6 (Experimental Evaluation): The reported performance results compare verification times but do not include adversarial test cases exercising side-channel leakage or incomplete measurement of build inputs; this leaves the central guarantee of 'cryptographically verifiable integrity' without direct empirical support.

    Authors: Section 6 evaluates the performance advantage of the protocol by measuring the reduction from full re-execution to signature verification. The cryptographic integrity guarantee is derived from the TEE attestation and the evidence-binding protocol formalized earlier rather than from runtime adversarial experiments. We acknowledge that targeted adversarial cases would provide additional reassurance. In the revision we will add a dedicated subsection discussing the threat model for incomplete measurements and side-channel leakage, explaining why Nix hermeticity combined with TEE quote freshness mitigates these vectors, and include a limited simulation of an incomplete-build scenario using our existing test harness. revision: partial

Circularity Check

0 steps flagged

No circularity: protocol is an original binding construction

full rationale

The paper introduces a protocol that binds deterministic builds (Nix) with TEE attestations (Intel TDX), formalizes an evidence life cycle, and demonstrates reduced verification cost via signature/policy checks. No equations, fitted parameters, predictions derived from subsets of data, or self-citation chains appear in the provided abstract or described structure. The central claim is presented as a new construction rather than a derivation that reduces by definition or construction to its own inputs or prior fitted values. The approach remains self-contained against external benchmarks of TEE and deterministic build properties.

Axiom & Free-Parameter Ledger

0 free parameters · 2 axioms · 1 invented entities

The central claim rests on domain assumptions about deterministic reproducibility and TEE attestation reliability; the protocol itself is the main invented construct with no independent evidence supplied in the abstract.

axioms (2)
  • domain assumption Deterministic build systems always produce identical outputs from identical inputs.
    Invoked as the foundation for verifiable provenance.
  • domain assumption Trusted execution environments provide reliable cryptographic attestation of executed code.
    Assumed from hardware properties of Intel TDX.
invented entities (1)
  • Evidence-driven CI protocol no independent evidence
    purpose: Binds DBS and TEE to create verifiable artifact evidence life cycle.
    New protocol introduced by the paper.

pith-pipeline@v0.9.0 · 5711 in / 1294 out tokens · 32097 ms · 2026-05-21T04:09:20.603788+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

50 extracted references · 50 canonical work pages

  1. [1]

    In: 2021 12th International Conference on Computing Com- munication and Networking Technologies (ICCCNT)

    Alkhadra, R., Abuzaid, J., AlShammari, M., Mohammad, N.: Solar winds hack: In-depth analysis and countermeasures. In: 2021 12th International Conference on Computing Com- munication and Networking Technologies (ICCCNT). pp. 1–7. IEEE (2021)

    work page 2021

  2. [2]

    In: 2022 IEEE Secure Development Conference (SecDev)

    Bajpai, P., Lewis, A.: Secure development workflows in ci/cd pipelines. In: 2022 IEEE Secure Development Conference (SecDev). pp. 65–66. IEEE (2022)

    work page 2022

  3. [3]

    In: Proceedings of the 39th ACM/SIGAPP Symposium on Applied Computing

    Boi, B., Esposito, C., Seo, J.T.: Ethereum attestation service as a solution for the revocation of hardware-based password-less mechanisms. In: Proceedings of the 39th ACM/SIGAPP Symposium on Applied Computing. pp. 553–559 (2024)

    work page 2024

  4. [4]

    arXiv preprint arXiv:2309.08248 (2023)

    Bontekoe, T., Karastoyanova, D., Turkmen, F.: Verifiable privacy-preserving computing. arXiv preprint arXiv:2309.08248 (2023)

    work page arXiv 2023

  5. [5]

    Journal of Systems and Software146, 112–129 (2018)

    Borges, H., Valente, M.T.: What’s in a github star? understanding repository starring practices in a social coding platform. Journal of Systems and Software146, 112–129 (2018)

    work page 2018

  6. [6]

    In: International Conference on Enterprise Design, Operations, and Computing

    Brito, E., Castillo, F., Pullonen-Raudvere, P., Werner, S.: Trustops: Continuously building trustworthy software. In: International Conference on Enterprise Design, Operations, and Computing. pp. 53–67. Springer (2024)

    work page 2024

  7. [7]

    In: EPJ Web of Conferences

    Burr, C., Clemencic, M., Couturier, B.: Software packaging and distribution for lhcb using nix. In: EPJ Web of Conferences. vol. 214, p. 05005. EDP Sciences (2019)

    work page 2019

  8. [8]

    In: 2025 IEEE International Conference on Blockchain and Cryp- tocurrency (ICBC)

    Castillo, F., Heiss, J., Werner, S., Tai, S.: Trusted compute units: a framework for chained verifiable computations. In: 2025 IEEE International Conference on Blockchain and Cryp- tocurrency (ICBC). pp. 1–9. IEEE (2025)

    work page 2025

  9. [9]

    Chandramouli, R., Kautz, F., Torres-Arias, S.: Strategies for the integration of software supply chain security in devsecops ci/cd pipelines (2024)

    work page 2024

  10. [10]

    In: 47th IEEE Symposium on Security and Privacy (IEEE S&P ’26)

    Chuang, J., Seto, A., Berrios, N., van Schaik, S., Garman, C., Genkin, D.: Tee.fail: Breaking trusted execution environments via ddr5 memory bus interposition. In: 47th IEEE Symposium on Security and Privacy (IEEE S&P ’26). IEEE Computer Society (2026), https://tee.fail, to appear

    work page 2026

  11. [11]

    In: Ifip international conference on open source systems

    Deshpande, A., Riehle, D.: The total growth of open source. In: Ifip international conference on open source systems. pp. 197–209. Springer (2008)

    work page 2008

  12. [12]

    In: Proceedings of the 18th Interna- tional Conference on Availability, Reliability and Security

    Enoiu, E.P., Truscan, D., Sadovykh, A., Mallouli, W.: Veridevops software methodology: Security verification and validation for devops practices. In: Proceedings of the 18th Interna- tional Conference on Availability, Reliability and Security. pp. 1–9 (2023) 16 F. Castillo et al

    work page 2023

  13. [13]

    In: Proc

    Everson, D., Cheng, L., Zhang, Z.: Log4shell: Redefining the web attack surface. In: Proc. Workshop Meas., Attacks, Defenses Web (MADWeb). pp. 1–8 (2022)

    work page 2022

  14. [14]

    Journal of Systems and Software123, 176–189 (2017)

    Fitzgerald, B., Stol, K.J.: Continuous software engineering: A roadmap and agenda. Journal of Systems and Software123, 176–189 (2017)

    work page 2017

  15. [15]

    In: Proceedings of the 15th International Conference on Availability, Reliability and Security

    Fleischer, F., Busch, M., Kuhrt, P.: Memory corruption attacks within android tees: A case study based on op-tee. In: Proceedings of the 15th International Conference on Availability, Reliability and Security. pp. 1–9 (2020)

    work page 2020

  16. [16]

    In: Proceedings of the 19th International Conference on Availability, Relia- bility and Security

    Halbritter, A., Merli, D.: Accuracy evaluation of sbom tools for web applications and system- level software. In: Proceedings of the 19th International Conference on Availability, Relia- bility and Security. pp. 1–9 (2024)

    work page 2024

  17. [17]

    International Journal of Information Management54, 102136 (2020)

    Helliar, C.V., Crawford, L., Rocca, L., Teodori, C., Veneziani, M.: Permissionless and permis- sioned blockchain diffusion. International Journal of Information Management54, 102136 (2020)

    work page 2020

  18. [18]

    arXiv preprint arXiv:2405.14993 (2024)

    Ishgair, E.A., Melara, M.S., Torres-Arias, S.: Sok: A defense-oriented evaluation of software supply chain security. arXiv preprint arXiv:2405.14993 (2024)

    work page arXiv 2024

  19. [19]

    In: Computer Safety, Reliability, and Security: 35th International Conference, SAFECOMP 2016, Trond- heim, Norway, September 21-23, 2016, Proceedings 35

    J ¨amthagen, C., Lantz, P., Hell, M.: Exploiting trust in deterministic builds. In: Computer Safety, Reliability, and Security: 35th International Conference, SAFECOMP 2016, Trond- heim, Norway, September 21-23, 2016, Proceedings 35. pp. 238–249. Springer (2016)

    work page 2016

  20. [20]

    In: 31st USENIX Security Symposium (USENIX Security 22)

    Koishybayev, I., Nahapetyan, A., Zachariah, R., Muralee, S., Reaves, B., Kapravelos, A., Machiry, A.: Characterizing the security of github{CI}workflows. In: 31st USENIX Security Symposium (USENIX Security 22). pp. 2747–2763 (2022)

    work page 2022

  21. [21]

    In: 2020 IEEE International Conference on Electronics, Computing and Communication Technologies (CONECCT)

    Kumar, R., Thangaraju, B.: Performance analysis between runc and kata container runtime. In: 2020 IEEE International Conference on Electronics, Computing and Communication Technologies (CONECCT). pp. 1–4. IEEE (2020)

    work page 2020

  22. [22]

    In: Interna- tional Conference on Enterprise Design, Operations, and Computing

    Leblanc, A., Robin, J., Ben Rabah, N., Huang, Z., Le Grand, B.: Rethinking cybersecurity ontology classification and evaluation: Towards a credibility-centered framework. In: Interna- tional Conference on Enterprise Design, Operations, and Computing. pp. 284–299. Springer (2025)

    work page 2025

  23. [23]

    Applied Sciences14(20), 9262 (2024)

    Lew, K., Sarker, A., Wuthier, S., Kim, J., Kim, J., Chang, S.Y.: Distributed software build assurance for software supply chain integrity. Applied Sciences14(20), 9262 (2024)

    work page 2024

  24. [24]

    On the critical path to implant backdoors and the effectiveness of potential mitigation techniques: Early learnings from XZ,

    Lins, M., Mayrhofer, R., Roland, M., Hofer, D., Schwaighofer, M.: On the critical path to implant backdoors and the effectiveness of potential mitigation techniques: Early learnings from xz. arXiv preprint arXiv:2404.08987 (2024)

    work page arXiv 2024

  25. [25]

    In: Proceedings of the 33rd ACM International Conference on the Foundations of Software Engineering

    Liu, R., Bobadilla, S., Baudry, B., Monperrus, M.: Dirty-waters: Detecting software supply chain smells. In: Proceedings of the 33rd ACM International Conference on the Foundations of Software Engineering. pp. 1045–1049 (2025)

    work page 2025

  26. [26]

    In: 2021 IEEE 11th Annual Computing and Communication Workshop and Conference (CCWC)

    Mahboob, J., Coffman, J.: A kubernetes ci/cd pipeline with asylo as a trusted execution envi- ronment abstraction framework. In: 2021 IEEE 11th Annual Computing and Communication Workshop and Conference (CCWC). pp. 0529–0535. IEEE (2021)

    work page 2021

  27. [27]

    arXiv preprint arXiv:2511.12274 (2025)

    Monperrus, M.: Software supply chain security of web3. arXiv preprint arXiv:2511.12274 (2025)

    work page arXiv 2025

  28. [28]

    Computers & Security129, 103180 (2023)

    Mu ˜noz, A., Rios, R., Rom´an, R., L´opez, J.: A survey on the (in) security of trusted execution environments. Computers & Security129, 103180 (2023)

    work page 2023

  29. [29]

    In: Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security

    Newman, Z., Meyers, J.S., Torres-Arias, S.: Sigstore: Software signing for everybody. In: Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security. pp. 2353–2367 (2022)

    work page 2022

  30. [30]

    In: International Conference on Enterprise Design, Operations, and Computing (2026), submitted for review Evidence-driven Protocol for TCI Pipelines 17

    Nguyen, Van Thanh, e.a.: Trustbom: A scalable architecture for confidentiality-preserving sboms across organizations. In: International Conference on Enterprise Design, Operations, and Computing (2026), submitted for review Evidence-driven Protocol for TCI Pipelines 17

    work page 2026

  31. [31]

    Information and Software Technology80, 1–19 (2016)

    Niazi, M., Mahmood, S., Alshayeb, M., Riaz, M.R., Faisal, K., Cerpa, N., Khan, S.U., Richardson, I.: Challenges of project management in global software development: A client- vendor analysis. Information and Software Technology80, 1–19 (2016)

    work page 2016

  32. [32]

    In: 2024 IEEE International Conference on Software Analysis, Evolution and Reengineering-Companion (SANER-C)

    O’Donoghue, E., Reinhold, A.M., Izurieta, C.: Assessing security risks of software supply chains using software bill of materials. In: 2024 IEEE International Conference on Software Analysis, Evolution and Reengineering-Companion (SANER-C). pp. 134–140. IEEE (2024)

    work page 2024

  33. [33]

    In: Proceedings of the 15th ACM Conference on Security and Privacy in Wireless and Mobile Networks

    P ¨oll, M., Roland, M.: Automating the quantitative analysis of reproducibility for build artifacts derived from the android open source project. In: Proceedings of the 15th ACM Conference on Security and Privacy in Wireless and Mobile Networks. pp. 6–19 (2022)

    work page 2022

  34. [34]

    Information and software technology141, 106700 (2022)

    Rajapakse, R.N., Zahedi, M., Babar, M.A., Shen, H.: Challenges and solutions when adopting devsecops: A systematic review. Information and software technology141, 106700 (2022)

    work page 2022

  35. [35]

    International Journal of Computers and Applications pp

    Reichert, B.M., Obelheiro, R.R.: Software supply chain security: a systematic literature review. International Journal of Computers and Applications pp. 1–15 (2024)

    work page 2024

  36. [36]

    Queue22(4), 73–100 (2024)

    Russinovich, M., Fournet, C., Zaverucha, G., Benaloh, J., Murdoch, B., Costa, M.: Confiden- tial computing proofs: An alternative to cryptographic zero-knowledge. Queue22(4), 73–100 (2024)

    work page 2024

  37. [37]

    In: 2015 IEEE Trustcom/BigDataSE/Ispa

    Sabt, M., Achemlal, M., Bouabdallah, A.: Trusted execution environment: What it is, and what it is not. In: 2015 IEEE Trustcom/BigDataSE/Ispa. vol. 1, pp. 57–64. IEEE (2015)

    work page 2015

  38. [38]

    In: 2021 Design, Automation & Test in Europe Conference & Exhibition (DATE)

    Sadovykh, A., Widforss, G., Truscan, D., Enoiu, E.P., Mallouli, W., Iglesias, R., Bagnto, A., Hendel, O.: Veridevops: Automated protection and prevention to meet security requirements in devops. In: 2021 Design, Automation & Test in Europe Conference & Exhibition (DATE). pp. 1330–1333. IEEE (2021)

    work page 2021

  39. [39]

    In: Proceedings of the IEEE/ACM 42nd international conference on software engineering workshops

    S ´anchez-Gord´on, M., Colomo-Palacios, R.: Security as culture: a systematic literature review of devsecops. In: Proceedings of the IEEE/ACM 42nd international conference on software engineering workshops. pp. 266–269 (2020)

    work page 2020

  40. [40]

    Shepherd, C., Markantonakis, K.: Trusted execution environments (2024)

    work page 2024

  41. [41]

    IEEE Transactions on Software Engineering 48(9), 3361–3377 (2021)

    Shi, Y., Wen, M., Cogo, F.R., Chen, B., Jiang, Z.M.: An experience report on producing veri- fiable builds for large-scale commercial systems. IEEE Transactions on Software Engineering 48(9), 3361–3377 (2021)

    work page 2021

  42. [42]

    In: 2022 IEEE International Conference on Service Operations and Logistics, and Informatics (SOLI)

    Singh, N., Singh, A., Rawat, V.: Deploying jenkins, ansible and kubernetes to automate continuous integration and continuous deployment pipeline. In: 2022 IEEE International Conference on Service Operations and Logistics, and Informatics (SOLI). pp. 1–5. IEEE (2022)

    work page 2022

  43. [43]

    SLSA, S.: Supply-chain levels for software artifacts (2024)

    work page 2024

  44. [44]

    NIST Special Publication800(218), 800–218 (2022)

    Souppaya, M., Scarfone, K., Dodson, D.: Secure software development framework (ssdf) version 1.1. NIST Special Publication800(218), 800–218 (2022)

    work page 2022

  45. [45]

    In: 2025 IEEE International Conference on Blockchain and Cryptocurrency (ICBC)

    Stengele, O., Droll, J., Hartenstein, H.: Supply-chain-aligned software auditing and usage justification via distributed ledgers. In: 2025 IEEE International Conference on Blockchain and Cryptocurrency (ICBC). pp. 1–5. IEEE (2025)

    work page 2025

  46. [46]

    In: 28th USENIX Security Symposium (USENIX Security 19)

    Torres-Arias, S., Afzali, H., Kuppusamy, T.K., Curtmola, R., Cappos, J.: in-toto: Providing farm-to-table guarantees for bits and bytes. In: 28th USENIX Security Symposium (USENIX Security 19). pp. 1393–1410 (2019)

    work page 2019

  47. [47]

    ACM Transactions on Software Engineering and Methodology34(5), 1–38 (2025)

    Williams, L., Benedetti, G., Hamer, S., Paramitha, R., Rahman, I., Tamanna, M., Tystahl, G., Zahan, N., Morrison, P., Acar, Y., et al.: Research directions in software supply chain security. ACM Transactions on Software Engineering and Methodology34(5), 1–38 (2025)

    work page 2025

  48. [48]

    In: 2023 IEEE/ACM 45th International Conference on Software Engineering (ICSE)

    Xia, B., Bi, T., Xing, Z., Lu, Q., Zhu, L.: An empirical study on software bill of materials: Where we stand and the road ahead. In: 2023 IEEE/ACM 45th International Conference on Software Engineering (ICSE). pp. 2630–2642. IEEE (2023)

    work page 2023

  49. [49]

    Chinese Journal of Electronics21(4), 589–593 (2012) 18 F

    Xiaoyan, W., Shufen, L., Tie, B.: An evidence-driven framework for trustworthiness evalua- tion of software based on rules. Chinese Journal of Electronics21(4), 589–593 (2012) 18 F. Castillo et al

    work page 2012

  50. [50]

    In: 2024 54th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN)

    Yu, S., Song, W., Hu, X., Yin, H.: On the correctness of metadata-based sbom generation: A differential analysis approach. In: 2024 54th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN). pp. 29–36. IEEE (2024)

    work page 2024