When we announced the Community Attestation Service, we had a vision. A vision that included two of our passions. The first, making sure software content could be trusted in way that is immutable, tamper-proof and cryptographically verifiable. The second, our passion for open source and its developers. We wanted to ensure that any developer, anywhere, had in their toolbox a completely free and open source service that would allow them to easily integrate content trust and software supply chain security into their projects.
We’d very proud to announce that Home Assistant has rolled out integration of CAS for both the Home Assistant core project as well as third party add-on developers. This is an important step in making sure that as you build your smart home and integrate add-ons and components, your Home Assistant instance is protected from running malicious code, making sure your smart home is a secure home. You can read all about it on the Home Assistant blog.
CAS is a totally free and open source service that helps you secure and trust your software. It does this by allowing you to create a Software Bill of Materials for your containers and also notarize them, creating an origin record and attesting to what their composition is. This then allows you to trust, or un-trust, those individual components in the bill of materials. This allows developers to ensure that only components they approve make it into their build pipeline, and allows users to trust that every single piece of software they receive from the developer have not been tampered with. Naturally, if a problematic library (such as one with a security issue) or unwanted component makes it into the software, it can easily be un-trusted and prevented from being built by a developer or deployed by a user.
We also make sure this data can never be tampered with by storing it in immudb, our open source, immutable, tamper-proof database. The data in immudb can also be cryptographically verified *on the client side* and another or third party (coming soon) to ensure that the integrity of the data. CAS also preserves your privacy as none of the code/binaries/containers are uploaded to CAS, only the unique signature is.
CAS is also lightweight and super easy to integrate into your project either via scripts or GitHub Actions. You can find out more about CAS and immudb in the links above, by reading the docs and you can also join us on our discord server.