- | A private key owned by the artifact maintainer is used in combination with a [hash](https://en.wikipedia.org/wiki/Cryptographic_hash_function) of the artifact to compute a [signature](https://en.wikipedia.org/wiki/Digital_signature). The signature is then provided alongside the artifact so that clients can verify the artifact signature before installing or using the artifact. For example, for our ISOs, each signature is shipped in a corresponding `-CHECKSUM` file. Once the client has all of the required information, it can use the maintainer's public key to verify the signature, revealing a hash that it then compares against a locally-generated hash of the artifact. This means that in the event that an artifact registry was compromised or artifacts otherwise tampered with by malicious third parties, any corresponding signature file would either not be present or fail validation. | All secureblue [OCI](https://opencontainers.org/) images, all secureblue ISOs and torrents, all secureblue RPM packages, all Fedora RPM packages, all Flatpaks from Flathub ([centrally signed](https://flathub.org/repo/flathub.gpg)), Blue-Build build tools |
+| Egress auditing|[StepSecurity Harden-Runner](https://docs.stepsecurity.io/harden-runner)|
- Maintainer secrets exfiltration
- Source code tampering
- Dependency tampering
- Registry credential theft
- Maintainer source code repository credential theft
- Rogue maintainers
- Maintainer signing key theft
- Rogue maintainers
- Artifact tampering
- Artifact forgery
- Registry credential theft
- Maintainer secrets exfiltration
- Source code tampering
- Dependency tampering
- Registry credential theft
- Maintainer source code repository credential theft
- Rogue maintainers
- |StepSecurity Harden-Runner provides network traffic controls and source code integrity monitoring, among other mechanisms. It restricts outbound traffic to a configurable list of authorized outbound domains, and enforces this at multiple levels (DNS, HTTPS, network layer, transport layer). It has several other functions as well, like monitoring the source code as the build progresses to ensure tampering doesn't occur, monitoring for anomalous privileged processes, etc.|All secureblue OCI image builds, Trivalent RPM builds|
+| Branch protection | [GitHub Rulesets](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/about-rulesets) |
+
From 0b7c26f308c882e3a10c4d15de8915b8afc21dc4 Mon Sep 17 00:00:00 2001
From: RoyalOughtness <129108030+RoyalOughtness@users.noreply.github.com>
Date: Sun, 15 Feb 2026 17:37:34 -0800
Subject: [PATCH 02/51] fix
---
content/articles/ARTICLES.md | 1 +
content/articles/BUILD_ARCHITECTURE.md | 11 +++++------
2 files changed, 6 insertions(+), 6 deletions(-)
diff --git a/content/articles/ARTICLES.md b/content/articles/ARTICLES.md
index 233d41d..342b8ad 100644
--- a/content/articles/ARTICLES.md
+++ b/content/articles/ARTICLES.md
@@ -13,3 +13,4 @@ Other articles on assorted topics related to secureblue:
- [User Namespaces](/articles/userns) - Brief overview of unprivileged User Namespaces, the security risk they enabled and how secureblue handles that risk.
- [Kernel Arguments](/articles/kargs) - List and brief explanation of the hardening kargs that the `ujust set-kargs-hardening` command can set.
- [Flatpak](/articles/flatpak) - Flatpak: the good, the bad, the ugly.
+- [Build Architecture](/articles/build-architecutre) - Build architecture for secureblue
diff --git a/content/articles/BUILD_ARCHITECTURE.md b/content/articles/BUILD_ARCHITECTURE.md
index 0be25f2..cfb5efe 100644
--- a/content/articles/BUILD_ARCHITECTURE.md
+++ b/content/articles/BUILD_ARCHITECTURE.md
@@ -8,15 +8,14 @@ permalink: /articles/build-architecture
Supply chain security is a priority for secureblue. During the the build process, we use complementary security mechanisms to protect against a variety of supply chain attack vectors. The documentation below covers each of these mechanisms, the protections they provide, and where secureblue uses these mechanisms.
-## Definitions
+## Security mechanisms
| Security mechanism | Implementation tooling | Threat vectors | Mitigation logic | Scope |
|------------|---------------------------------------|-------------------------|--------------|---------------------------------|
-| Provenance | [SLSA](https://slsa.dev) | - | A private key owned by the artifact maintainer is used in combination with a [hash](https://en.wikipedia.org/wiki/Cryptographic_hash_function) of the artifact to compute a [signature](https://en.wikipedia.org/wiki/Digital_signature). The signature is then provided alongside the artifact so that clients can verify the artifact signature before installing or using the artifact. For example, for our ISOs, each signature is shipped in a corresponding `-CHECKSUM` file. Once the client has all of the required information, it can use the maintainer's public key to verify the signature, revealing a hash that it then compares against a locally-generated hash of the artifact. This means that in the event that an artifact registry was compromised or artifacts otherwise tampered with by malicious third parties, any corresponding signature file would either not be present or fail validation. | All secureblue [OCI](https://opencontainers.org/) images, all secureblue ISOs and torrents, all secureblue RPM packages, all Fedora RPM packages, all Flatpaks from Flathub ([centrally signed](https://flathub.org/repo/flathub.gpg)), Blue-Build build tools |
-| Egress auditing|[StepSecurity Harden-Runner](https://docs.stepsecurity.io/harden-runner)|
- |StepSecurity Harden-Runner provides network traffic controls and source code integrity monitoring, among other mechanisms. It restricts outbound traffic to a configurable list of authorized outbound domains, and enforces this at multiple levels (DNS, HTTPS, network layer, transport layer). It has several other functions as well, like monitoring the source code as the build progresses to ensure tampering doesn't occur, monitoring for anomalous privileged processes, etc.|All secureblue OCI image builds, Trivalent RPM builds|
-| Branch protection | [GitHub Rulesets](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/about-rulesets) |
zincati.service before rebasing to securecore.' %}
| Name | Base | NVIDIA Support | ZFS Support | ARM64 Support |
@@ -92,6 +98,7 @@ Note that there are no ISOs available for experimental images. If you want to tr
| `securecore-zfs-nvidia-open-hardened` | CoreOS | Yes, open drivers | Yes | No |
### [IoT](#iot)
+{: #iot}
| Name | Base | NVIDIA Support | ZFS Support | ARM64 Support |
|------------------------------------|-----------|-------------------------|-------------|------------------------|
diff --git a/content/INDEX.md b/content/INDEX.md
index 05dccb8..385b25d 100644
--- a/content/INDEX.md
+++ b/content/INDEX.md
@@ -5,13 +5,16 @@ permalink: /
---
## [About](#about)
+{: #about}
secureblue is a security-focused desktop and server Linux operating system, developed as an open-source project. It is shipped as a set of [OCI](https://en.wikipedia.org/wiki/Open_Container_Initiative) bootable container images, which are generated with [BlueBuild](https://blue-build.org/), using [Fedora Atomic Desktop](https://fedoraproject.org/atomic-desktops/)'s [base images](https://pagure.io/workstation-ostree-config) as a starting point. Fedora is one of the few Linux distributions that ships with SELinux and associated tooling built-in and enabled by default. This makes it advantageous as a starting point for building a secure desktop system. However, the security architecture of desktop Linux is broadly and significantly lacking. The goal of secureblue is to build a maximally secure Linux operating system by proactively increasing defenses against the exploitation of both known and unknown vulnerabilities, while avoiding sacrificing usability for most use cases where possible. For more details, see the [features list](/features).
## [Who is secureblue for?](#who-is-secureblue-for)
+{: #who-is-secureblue-for}
secureblue is for those whose first priority is using Linux, and second priority is security. secureblue does not claim to be the most secure option available on the desktop. We are limited in that regard by the current state of desktop Linux standardization, tooling, and upstream security development. What we aim for instead is to be the most secure option for those who already intend to use Linux. As such, if security is your first priority, secureblue may not be the best option for you.
## [Support and community](#support-and-community)
+{: #support-and-community}
Both [GitHub issues](https://github.com/secureblue/secureblue/issues) and [Discord](https://discord.gg/qMTv5cKfbF) are available for support from the secureblue community.
diff --git a/content/articles/BUILD_ARCHITECTURE.md b/content/articles/BUILD_ARCHITECTURE.md
index cfb5efe..eb68001 100644
--- a/content/articles/BUILD_ARCHITECTURE.md
+++ b/content/articles/BUILD_ARCHITECTURE.md
@@ -4,11 +4,22 @@ description: "Build architecture for secureblue"
permalink: /articles/build-architecture
---
-# Build Architecture
+# Build architecture
+
+## [Table of Contents](#table-of-contents)
+{: #table-of-contents}
+
+- [Introduction](#introduction)
+- [Security mechanisms](#security-mechanisms)
+- [Build Process](#build-process)
+
+## [Introduction](#introduction)
+{: #introduction}
Supply chain security is a priority for secureblue. During the the build process, we use complementary security mechanisms to protect against a variety of supply chain attack vectors. The documentation below covers each of these mechanisms, the protections they provide, and where secureblue uses these mechanisms.
-## Security mechanisms
+## [Security mechanisms](#security-mechanisms)
+{: #security-mechanisms}
| Security mechanism | Implementation tooling | Threat vectors | Mitigation logic | Scope |
|------------|---------------------------------------|-------------------------|--------------|---------------------------------|
@@ -17,7 +28,8 @@ Supply chain security is a priority for secureblue. During the the build process
| Egress auditing|[StepSecurity Harden-Runner](https://docs.stepsecurity.io/harden-runner)|Maintainer secrets exfiltration, Source code tampering, Dependency tampering, Registry credential theft |StepSecurity Harden-Runner provides network traffic controls and source code integrity monitoring, among other mechanisms. It restricts outbound traffic to a configurable list of authorized outbound domains, and enforces this at multiple levels (DNS, HTTPS, network layer, transport layer). It has several other functions as well, like monitoring the source code as the build progresses to ensure tampering doesn't occur, monitoring for anomalous privileged processes, etc.|All secureblue OCI image builds, Trivalent RPM builds|
| Branch protection | [GitHub Rulesets](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/about-rulesets) | Maintainer source code repository credential theft, Rogue maintainers | Branch protection via rulesets prevents any changes being made to secureblue source code without those changes first meeting specific criteria. Among those criteria is a minimum number of code reviews from maintainers, excluding of course the author of the pull request should they be a maintainer. This means that in the event that a maintainer's source code repository credentials were stolen, the thief would be unable to push changes to the repository. This includes the repo owner credentials, since bypassing rulesets is only possible after 2FA has been granted. |All secureblue source code repositories|
-## Build Process
+## [Build Process](#build-process)
+{: #build-process}
diff --git a/content/articles/KARGS.md b/content/articles/KARGS.md
index 773cd1b..ee364b1 100644
--- a/content/articles/KARGS.md
+++ b/content/articles/KARGS.md
@@ -4,8 +4,10 @@ description: "An overview of the hardened boot kargs used in secureblue"
permalink: /articles/kargs
---
-# Table of contents
+# User namespaces
+
+## [Table of Contents](#table-of-contents)
{: #table-of-contents}
- [Introduction](#introduction)
@@ -15,7 +17,8 @@ permalink: /articles/kargs
- [Force disable simultaneous multithreading](#smt)
- [Unstable kargs](#unstable)
-# Introduction
+## [Introduction](#introduction)
+{: #introduction}
On secureblue and other systems that use `rpm-ostree`, kernel arguments (kargs)
can be managed using `rpm-ostree kargs`. Run `rpm-ostree kargs --help` for usage
@@ -29,7 +32,8 @@ To remove all kernel arguments that secureblue adds, you can run
For details on what each kernel argument does, see
[the kernel documentation](https://www.kernel.org/doc/html/v6.17/admin-guide/kernel-parameters.html).
-# Standard
+## [Standard](#standard)
+{: #standard}
Stable kernel arguments that are set by default on a fresh secureblue
installation, and are always applied by the script `ujust set-kargs-hardening`.
@@ -87,30 +91,28 @@ installation, and are always applied by the script `ujust set-kargs-hardening`.
- `vsyscall=none`: Disable vsyscall as it is both obsolete and enables an ROP
attack vector.
-# Additional
+## [Additional](#additional)
+{: #additional}
Sets of additional kargs that can be selectively set alongside the standard
kargs detailed above. The `set-kargs-hardening` command prompts the user on
whether to add apply of the 3 sets of kargs detailed below:
-## Disable 32-bit processes and syscalls
-
+### Disable 32-bit processes and syscalls
{: #32bit}
{% include alert.html type='note' content='32-bit support is needed by some legacy software, such as Steam.' %}
- `ia32_emulation=0`: Disables 32-bit processes and syscalls.
-## Force disable simultaneous multithreading
-
+### Force disable simultaneous multithreading
{: #smt}
- `nosmt=force`: Disables this hardware feature on user request, regardless of
whether it is affected by known vulnerabilities. Note that this
[halves the number of CPU cores](/faq#smt).
-## Unstable kargs
-
+### Unstable kargs
{: #unstable}
{% include alert.html type='caution' content='These may cause issues on some hardware.' %}
From 82c3aca13bb0a77ff5976cec6f8473ceb39b3d5a Mon Sep 17 00:00:00 2001
From: RoyalOughtness <129108030+RoyalOughtness@users.noreply.github.com>
Date: Sun, 15 Feb 2026 17:49:11 -0800
Subject: [PATCH 06/51] typo
---
content/articles/ARTICLES.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/content/articles/ARTICLES.md b/content/articles/ARTICLES.md
index 342b8ad..9d17583 100644
--- a/content/articles/ARTICLES.md
+++ b/content/articles/ARTICLES.md
@@ -13,4 +13,4 @@ Other articles on assorted topics related to secureblue:
- [User Namespaces](/articles/userns) - Brief overview of unprivileged User Namespaces, the security risk they enabled and how secureblue handles that risk.
- [Kernel Arguments](/articles/kargs) - List and brief explanation of the hardening kargs that the `ujust set-kargs-hardening` command can set.
- [Flatpak](/articles/flatpak) - Flatpak: the good, the bad, the ugly.
-- [Build Architecture](/articles/build-architecutre) - Build architecture for secureblue
+- [Build Architecture](/articles/build-architecture) - Build architecture for secureblue
From 3b419c03964af1894b65c647db35590069520c8b Mon Sep 17 00:00:00 2001
From: RoyalOughtness <129108030+RoyalOughtness@users.noreply.github.com>
Date: Sun, 15 Feb 2026 17:55:05 -0800
Subject: [PATCH 07/51] formatting fixes
---
_headers | 2 +-
content/articles/BUILD_ARCHITECTURE.md | 46 +++++++++++++++++++++-----
2 files changed, 38 insertions(+), 10 deletions(-)
diff --git a/_headers b/_headers
index a0589cb..1f8e13d 100644
--- a/_headers
+++ b/_headers
@@ -10,4 +10,4 @@
/articles/build-architecture
! Content-Security-Policy
- Content-Security-Policy: default-src 'none'; style-src 'self'; style-src-attr 'none'; font-src 'self'; img-src 'self' https://release-assets.githubusercontent.com; manifest-src 'self'; form-action 'none'; frame-ancestors 'none'; base-uri 'none'; sandbox; upgrade-insecure-requests;
+ Content-Security-Policy: default-src 'none'; style-src 'self'; style-src-attr 'none'; font-src 'self'; img-src 'self' https://github.com https://release-assets.githubusercontent.com; manifest-src 'self'; form-action 'none'; frame-ancestors 'none'; base-uri 'none'; sandbox; upgrade-insecure-requests;
diff --git a/content/articles/BUILD_ARCHITECTURE.md b/content/articles/BUILD_ARCHITECTURE.md
index eb68001..f350321 100644
--- a/content/articles/BUILD_ARCHITECTURE.md
+++ b/content/articles/BUILD_ARCHITECTURE.md
@@ -10,25 +10,53 @@ permalink: /articles/build-architecture
{: #table-of-contents}
- [Introduction](#introduction)
-- [Security mechanisms](#security-mechanisms)
-- [Build Process](#build-process)
+- [Definitions](#definitions)
+- [Mitigation logic](#mitigation-logic)
+ - [Provenance](#provenance)
+ - [Signatures](#signatures)
+ - [Egress auditing](#egress-auditing)
+ - [Branch protection](#branch-protection)
+- [Build rocess](#build-process)
## [Introduction](#introduction)
{: #introduction}
Supply chain security is a priority for secureblue. During the the build process, we use complementary security mechanisms to protect against a variety of supply chain attack vectors. The documentation below covers each of these mechanisms, the protections they provide, and where secureblue uses these mechanisms.
-## [Security mechanisms](#security-mechanisms)
-{: #security-mechanisms}
+## [Definitions](#definitions)
+{: #definitions}
| Security mechanism | Implementation tooling | Threat vectors | Mitigation logic | Scope |
|------------|---------------------------------------|-------------------------|--------------|---------------------------------|
-| Provenance | [SLSA](https://slsa.dev) | Maintainer signing key theft, Rogue maintainers | To generate provenance, the build platform (in our case, GitHub Actions) generates and signs an attestation file containing metadata about the build environment. Crucially, it cryptographically attests to the authenticity of runner and the source commit on which the artifact is being built. This attestation is then published in the repository or registry alongside the artifact. On the client side, when the artifact is pulled, the signature of the attestation is validated against the build platform's public key and the contents of the attestation are validated to confirm that the artifact was built: on an authorized runner from a commit in a specific branch in the source repository protected by branch policies, pull request review, and maintainer login 2FA. This means that even in the event that a maintainer's artifact signing keys and artifact repository credentials were both stolen, any malicious builds pushed by the credential thief would be rejected by clients due to provenance validation. | All secureblue [OCI](https://opencontainers.org/) images, Trivalent RPM packages, Blue-Build build tools |
-| Signatures | [cosign](https://github.com/sigstore/cosign), [GPG](https://gnupg.org/) | Artifact tampering, Artifact forgery, Registry credential theft | A private key owned by the artifact maintainer is used in combination with a [hash](https://en.wikipedia.org/wiki/Cryptographic_hash_function) of the artifact to compute a [signature](https://en.wikipedia.org/wiki/Digital_signature). The signature is then provided alongside the artifact so that clients can verify the artifact signature before installing or using the artifact. For example, for our ISOs, each signature is shipped in a corresponding `-CHECKSUM` file. Once the client has all of the required information, it can use the maintainer's public key to verify the signature, revealing a hash that it then compares against a locally-generated hash of the artifact. This means that in the event that an artifact registry was compromised or artifacts otherwise tampered with by malicious third parties, any corresponding signature file would either not be present or fail validation. | All secureblue [OCI](https://opencontainers.org/) images, all secureblue ISOs and torrents, all secureblue RPM packages, all Fedora RPM packages, all Flatpaks from Flathub ([centrally signed](https://flathub.org/repo/flathub.gpg)), Blue-Build build tools |
-| Egress auditing|[StepSecurity Harden-Runner](https://docs.stepsecurity.io/harden-runner)|Maintainer secrets exfiltration, Source code tampering, Dependency tampering, Registry credential theft |StepSecurity Harden-Runner provides network traffic controls and source code integrity monitoring, among other mechanisms. It restricts outbound traffic to a configurable list of authorized outbound domains, and enforces this at multiple levels (DNS, HTTPS, network layer, transport layer). It has several other functions as well, like monitoring the source code as the build progresses to ensure tampering doesn't occur, monitoring for anomalous privileged processes, etc.|All secureblue OCI image builds, Trivalent RPM builds|
-| Branch protection | [GitHub Rulesets](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/about-rulesets) | Maintainer source code repository credential theft, Rogue maintainers | Branch protection via rulesets prevents any changes being made to secureblue source code without those changes first meeting specific criteria. Among those criteria is a minimum number of code reviews from maintainers, excluding of course the author of the pull request should they be a maintainer. This means that in the event that a maintainer's source code repository credentials were stolen, the thief would be unable to push changes to the repository. This includes the repo owner credentials, since bypassing rulesets is only possible after 2FA has been granted. |All secureblue source code repositories|
+| Provenance | [SLSA](https://slsa.dev) | Maintainer signing key theft, Rogue maintainers | All secureblue [OCI](https://opencontainers.org/) images, Trivalent RPM packages, Blue-Build build tools |
+| Signatures | [cosign](https://github.com/sigstore/cosign), [GPG](https://gnupg.org/) | Artifact tampering, Artifact forgery, Registry credential theft | All secureblue [OCI](https://opencontainers.org/) images, all secureblue ISOs and torrents, all secureblue RPM packages, all Fedora RPM packages, all Flatpaks from Flathub ([centrally signed](https://flathub.org/repo/flathub.gpg)), Blue-Build build tools |
+| Egress auditing | [StepSecurity Harden-Runner](https://docs.stepsecurity.io/harden-runner) | Maintainer secrets exfiltration, Source code tampering, Dependency tampering, Registry credential theft | All secureblue OCI image builds, Trivalent RPM builds |
+| Branch protection | [GitHub Rulesets](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/about-rulesets) | Maintainer source code repository credential theft, Rogue maintainers | All secureblue source code repositories |
-## [Build Process](#build-process)
+## [Mitigation logic](#mitigation-logic)
+{: #mitigation-logic}
+
+## [Provenance](#provenance)
+{: #provenance}
+
+To generate provenance, the build platform (in our case, GitHub Actions) generates and signs an attestation file containing metadata about the build environment. Crucially, it cryptographically attests to the authenticity of runner and the source commit on which the artifact is being built. This attestation is then published in the repository or registry alongside the artifact. On the client side, when the artifact is pulled, the signature of the attestation is validated against the build platform's public key and the contents of the attestation are validated to confirm that the artifact was built: on an authorized runner from a commit in a specific branch in the source repository protected by branch policies, pull request review, and maintainer login 2FA. This means that even in the event that a maintainer's artifact signing keys and artifact repository credentials were both stolen, any malicious builds pushed by the credential thief would be rejected by clients due to provenance validation.
+
+## [Signatures](#signatures)
+{: #signatures}
+
+A private key owned by the artifact maintainer is used in combination with a [hash](https://en.wikipedia.org/wiki/Cryptographic_hash_function) of the artifact to compute a [signature](https://en.wikipedia.org/wiki/Digital_signature). The signature is then provided alongside the artifact so that clients can verify the artifact signature before installing or using the artifact. For example, for our ISOs, each signature is shipped in a corresponding `-CHECKSUM` file. Once the client has all of the required information, it can use the maintainer's public key to verify the signature, revealing a hash that it then compares against a locally-generated hash of the artifact. This means that in the event that an artifact registry was compromised or artifacts otherwise tampered with by malicious third parties, any corresponding signature file would either not be present or fail validation.
+
+## [Egress auditing](#egress-auditing)
+{: #egress-auditing}
+
+StepSecurity Harden-Runner provides network traffic controls and source code integrity monitoring, among other mechanisms. It restricts outbound traffic to a configurable list of authorized outbound domains, and enforces this at multiple levels (DNS, HTTPS, network layer, transport layer). It has several other functions as well, like monitoring the source code as the build progresses to ensure tampering doesn't occur, monitoring for anomalous privileged processes, etc.
+
+## [Branch protection](#branch-protection)
+{: #branch-protection}
+
+Branch protection via rulesets prevents any changes being made to secureblue source code without those changes first meeting specific criteria. Among those criteria is a minimum number of code reviews from maintainers, excluding of course the author of the pull request should they be a maintainer. This means that in the event that a maintainer's source code repository credentials were stolen, the thief would be unable to push changes to the repository. This includes the repo owner credentials, since bypassing rulesets is only possible after 2FA has been granted.
+
+## [Build process](#build-process)
{: #build-process}
From cb6a3b74a3cfa660775b058611811fc743e27d3a Mon Sep 17 00:00:00 2001
From: RoyalOughtness <129108030+RoyalOughtness@users.noreply.github.com>
Date: Sun, 15 Feb 2026 17:55:28 -0800
Subject: [PATCH 08/51] fix columns
---
content/articles/BUILD_ARCHITECTURE.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/content/articles/BUILD_ARCHITECTURE.md b/content/articles/BUILD_ARCHITECTURE.md
index f350321..1c0e72c 100644
--- a/content/articles/BUILD_ARCHITECTURE.md
+++ b/content/articles/BUILD_ARCHITECTURE.md
@@ -26,7 +26,7 @@ Supply chain security is a priority for secureblue. During the the build process
## [Definitions](#definitions)
{: #definitions}
-| Security mechanism | Implementation tooling | Threat vectors | Mitigation logic | Scope |
+| Security mechanism | Implementation tooling | Threat vectors | Scope |
|------------|---------------------------------------|-------------------------|--------------|---------------------------------|
| Provenance | [SLSA](https://slsa.dev) | Maintainer signing key theft, Rogue maintainers | All secureblue [OCI](https://opencontainers.org/) images, Trivalent RPM packages, Blue-Build build tools |
| Signatures | [cosign](https://github.com/sigstore/cosign), [GPG](https://gnupg.org/) | Artifact tampering, Artifact forgery, Registry credential theft | All secureblue [OCI](https://opencontainers.org/) images, all secureblue ISOs and torrents, all secureblue RPM packages, all Fedora RPM packages, all Flatpaks from Flathub ([centrally signed](https://flathub.org/repo/flathub.gpg)), Blue-Build build tools |
From e2b5cc42618bc1969188380cdf9e872a776d15dd Mon Sep 17 00:00:00 2001
From: RoyalOughtness <129108030+RoyalOughtness@users.noreply.github.com>
Date: Sun, 15 Feb 2026 17:56:21 -0800
Subject: [PATCH 09/51] fix
---
_headers | 2 +-
content/articles/BUILD_ARCHITECTURE.md | 8 ++++----
2 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/_headers b/_headers
index 1f8e13d..475feae 100644
--- a/_headers
+++ b/_headers
@@ -10,4 +10,4 @@
/articles/build-architecture
! Content-Security-Policy
- Content-Security-Policy: default-src 'none'; style-src 'self'; style-src-attr 'none'; font-src 'self'; img-src 'self' https://github.com https://release-assets.githubusercontent.com; manifest-src 'self'; form-action 'none'; frame-ancestors 'none'; base-uri 'none'; sandbox; upgrade-insecure-requests;
+ Content-Security-Policy: default-src 'none'; style-src 'self'; style-src-attr 'none'; font-src 'self'; img-src 'self' https://github.com https://release-assets.githubusercontent.com; manifest-src 'self'; form-action 'none'; frame-ancestors 'none'; base-uri 'none'; sandbox allow-popups; upgrade-insecure-requests;
diff --git a/content/articles/BUILD_ARCHITECTURE.md b/content/articles/BUILD_ARCHITECTURE.md
index 1c0e72c..45ac0a3 100644
--- a/content/articles/BUILD_ARCHITECTURE.md
+++ b/content/articles/BUILD_ARCHITECTURE.md
@@ -36,22 +36,22 @@ Supply chain security is a priority for secureblue. During the the build process
## [Mitigation logic](#mitigation-logic)
{: #mitigation-logic}
-## [Provenance](#provenance)
+### [Provenance](#provenance)
{: #provenance}
To generate provenance, the build platform (in our case, GitHub Actions) generates and signs an attestation file containing metadata about the build environment. Crucially, it cryptographically attests to the authenticity of runner and the source commit on which the artifact is being built. This attestation is then published in the repository or registry alongside the artifact. On the client side, when the artifact is pulled, the signature of the attestation is validated against the build platform's public key and the contents of the attestation are validated to confirm that the artifact was built: on an authorized runner from a commit in a specific branch in the source repository protected by branch policies, pull request review, and maintainer login 2FA. This means that even in the event that a maintainer's artifact signing keys and artifact repository credentials were both stolen, any malicious builds pushed by the credential thief would be rejected by clients due to provenance validation.
-## [Signatures](#signatures)
+### [Signatures](#signatures)
{: #signatures}
A private key owned by the artifact maintainer is used in combination with a [hash](https://en.wikipedia.org/wiki/Cryptographic_hash_function) of the artifact to compute a [signature](https://en.wikipedia.org/wiki/Digital_signature). The signature is then provided alongside the artifact so that clients can verify the artifact signature before installing or using the artifact. For example, for our ISOs, each signature is shipped in a corresponding `-CHECKSUM` file. Once the client has all of the required information, it can use the maintainer's public key to verify the signature, revealing a hash that it then compares against a locally-generated hash of the artifact. This means that in the event that an artifact registry was compromised or artifacts otherwise tampered with by malicious third parties, any corresponding signature file would either not be present or fail validation.
-## [Egress auditing](#egress-auditing)
+### [Egress auditing](#egress-auditing)
{: #egress-auditing}
StepSecurity Harden-Runner provides network traffic controls and source code integrity monitoring, among other mechanisms. It restricts outbound traffic to a configurable list of authorized outbound domains, and enforces this at multiple levels (DNS, HTTPS, network layer, transport layer). It has several other functions as well, like monitoring the source code as the build progresses to ensure tampering doesn't occur, monitoring for anomalous privileged processes, etc.
-## [Branch protection](#branch-protection)
+### [Branch protection](#branch-protection)
{: #branch-protection}
Branch protection via rulesets prevents any changes being made to secureblue source code without those changes first meeting specific criteria. Among those criteria is a minimum number of code reviews from maintainers, excluding of course the author of the pull request should they be a maintainer. This means that in the event that a maintainer's source code repository credentials were stolen, the thief would be unable to push changes to the repository. This includes the repo owner credentials, since bypassing rulesets is only possible after 2FA has been granted.
From a678c3f67668eb8cba7a301ed204314929752a50 Mon Sep 17 00:00:00 2001
From: RoyalOughtness <129108030+RoyalOughtness@users.noreply.github.com>
Date: Sun, 15 Feb 2026 17:59:07 -0800
Subject: [PATCH 10/51] fixes
---
_headers | 2 +-
assets/architecture.png | Bin 0 -> 1483209 bytes
content/articles/BUILD_ARCHITECTURE.md | 4 ++--
3 files changed, 3 insertions(+), 3 deletions(-)
create mode 100644 assets/architecture.png
diff --git a/_headers b/_headers
index 475feae..88824e3 100644
--- a/_headers
+++ b/_headers
@@ -10,4 +10,4 @@
/articles/build-architecture
! Content-Security-Policy
- Content-Security-Policy: default-src 'none'; style-src 'self'; style-src-attr 'none'; font-src 'self'; img-src 'self' https://github.com https://release-assets.githubusercontent.com; manifest-src 'self'; form-action 'none'; frame-ancestors 'none'; base-uri 'none'; sandbox allow-popups; upgrade-insecure-requests;
+ Content-Security-Policy: default-src 'none'; style-src 'self'; style-src-attr 'none'; font-src 'self'; img-src 'self'; manifest-src 'self'; form-action 'none'; frame-ancestors 'none'; base-uri 'none'; sandbox allow-popups; upgrade-insecure-requests;
diff --git a/assets/architecture.png b/assets/architecture.png
new file mode 100644
index 0000000000000000000000000000000000000000..a2c88a80c548970763a73471b23e83e9862e3b9b
GIT binary patch
literal 1483209
zcmeFacT|&E*FJ17sGuNSiVaYt3n*1b0g)!sgisWuHzU0zqN5;HMS6*XbOGrlfv7a;
z0z&8!5JHck1qeyLlV@IMe8#8fn)e;ow|@NLGREZG=bYWHYwvwd9$wK@*+<7gw`tR+
zeX5r(Ufr~bGi}o*rnOx=z&oFhukwSx#4WF>T4`u(ItgCy+O%ae!=^3Z)z*vRn>KCU
z|Bu&u!N2*ypH1$f!qUQGLYI`zU)+?PYJLE`wb|vW$}gL8TMtcc+Qhp__2PM5Pt%#f
zH@i29?%kU2PJM1N!LqY)+xcazM}OGSb9Xjv-m-1ie%`c;fc*fA+|f+cChg