Trusting Dependencies: On-Chain Integrity Check

[mario-eth]

Enhancing Dependency Integrity Verification

To ensure that the currently installed dependency is not malicious, we need an authoritative mechanism to verify that the dependency files are legitimate and have not been tampered with.

One solution is to implement a smart contract stored on-chain. This smart contract would serve as a consortium that publishes checksums after each version of a dependency is released.

For example, when OpenZeppelin publishes version 5.3.0, a checksum would be generated and submitted on-chain. This checksum would then serve as the source of truth in the integrity check process.

Challenges:

1. Approval of Checksums: The teams responsible for maintaining the on-chain integrity must approve the checksums. Without their approval, we cannot ensure the checksums' authenticity.
2. Collaboration: Soldeer aims to build and maintain this system but requires collaboration from all relevant teams to approve the checksums. Without their cooperation, the checksums provided by Soldeer cannot be fully trusted.

By addressing these challenges, we can create a robust system for verifying dependency integrity, ensuring that installed dependencies are secure and unaltered.

[wagmiwiz]

It would be great to find a way to check integrity of dependencies.

Feels like the first step is simply having signed checksums for popular libs as most don't do this afaik (?). The issue then becomes how teams manage key security but there are well known procedures for that.