Contract Source Verification after Deployment without Attestation

[leighmcculloch]

Context: There has been conversations and proposals in the past and ongoing implemented to varying degress moving forward methods for contract build verification:

• Contract Source Validation SEP #1573
• SEP-55

👋🏻 I've seen some cases where folks deployed either from a local machine, or before realising what the attestation process was, and then later discovered. In the interest of there being someway for someone to prove what code they deployed with after the fact, which can be still a very important process to define, I've been doing some experimenting.

Using recent Rust versions and the stellar-cli that now sets builds up to be more deterministic, the building of contracts seems to be sometimes consistent even across host platforms. So I've been experimenting with actually how successful it can be rebuilding existing contracts. I don't expect 100% success, but I'm hoping if the success rate is 80-90% success then a simple process can be defined to follow to prove after the fact in situations where it's helpful. Possibly this would help with post-publishing attestations through rebuilds, or forming alternative registries with the necessary rebuilds and evidence.

If anyone wants to help see if rebuilding existing contracts, the repo is below, and you can help out by opening new issues. Each new issue opened automatically kicks off an attempt to rebuild a contract against it's original code. Note in the interest of keeping the repo focused on meaningful contracts, it only works with contracts deployed to mainnet.

• https://github.com/leighmcculloch/stellar-contract-verifications

I don't see this replacing attestation or the proposals at the top of this post, for all the reasons that build provenance attestation has always been a go to solution, and with the rise in poparilty of Sigstore's tech, is taking off more in recent years. I see this filling a gap where there still needs to be a way to prove code where attestation wasn't or isn't available, for whatever raeson.

That repo above is experimentation I'm doing with just a small percentage of my time, so if anyone is 👀ing it, expect to see progress in bursts.

This discussion thread is not a proposal.