LinnemanLabs

Provenance

Cryptographic verification and build provenance for LinnemanLabs application and content

This site publishes full provenance for both the application server and the content bundle it’s currently serving. Everything on this page is derived from real build attestations and signatures - this is what I’m actually running and how it got here.

Application

The application server is a custom Go binary built with security and observability as primary concerns. This section displays provenance for the currently running binary, including source information, build attestations, vulnerability scans, SBOMs, licensing, and container metadata.

Webserver Source: linnemanlabs-web on GitHub

Build/Release System Source: build-system on GitHub

Content Bundle

The content bundle is a signed artifact containing all static HTML, CSS, JavaScript, and assets generated by Hugo. The server verifies bundle integrity at load time and exposes provenance information via API.

Website Source: linnemanlabs-site on GitHub

What’s next

This page currently covers application and content provenance. I’m working toward attestations across the full trust hierarchy - from the application layer down through OS-enforced signed execution (IMA/EVM), dm-verity verified filesystems on golden images, kernel lockdown, UEFI Secure Boot, and TPM-based hardware attestation. The end goal is a verifiable chain from silicon to running application, where every layer’s integrity is cryptographically anchored to the one below it.

Application Provenance

Application Loading...
Track: · Built
Gate:

Build

Release ID
Build ID
Build Actor
Build System
Builder Identity
Go Version
Built At
Fetched At

Source

Repository
Commit
Tag
Commit Date

Builder

Repository
Commit
Branch
Commit Date

Signing

Method
Key Reference
Signed Artifacts
Artifacts
Index
Inventory
Release

Attestations

Total
Source
Artifact
Attested Categories
SBOM
Scan
License

Policy

Enforcement
Inventory signature
Subject signatures
Evidence Requirements
SBOM
Scan
License
Provenance
Attestations
Vulnerability Gating
Block On
Allow if VEX
License Policy
Allowed Licenses
Denied Licenses
Unknown licenses:

Vulnerabilities

Critical
High
Medium
Low
Negligible
Unknown
Total
Worst Severity
Gate Result
(threshold: )
Scope
Deduplication
Scanned At
Scanners
Per-Scanner Results
Show findings

Software Bill of Materials

Source Packages
Artifact Packages
Generators
Formats Produced
Generated At
Show all packages

Licenses

Licenses Found
Denied Licenses Found
None
Packages Without License
Show packages by license

Evidence

Evidence Files
Completeness
SBOM (source)
SBOM (artifacts)
Scan (source)
Scan (artifacts)
License (source)
License (artifacts)
Attestations
Categories

Artifacts

Binary
Platform
Size
SHA256
Container
Repository
Tag
Pushed At
Digest
Digest Reference
Media Type
Artifact Type
Show raw JSON 
Content Provenance
Content Bundle Loading...
Loaded from  at 
Content Version
Bundle Identity
Content ID
Content Hash
Schema
Type
Source
Repository
Commit
Branch


Commit Date
Build Time
Build Environment
Build Host
Build User
Content Summary
Total Files
Total Size
File Types
File Type Breakdown
Build Tooling
Hugo
Static site generator
SHA256
Tailwind CSS
CSS framework
SHA256
HTML Tidy
HTML validation
SHA256
Git
Version control
Bash
Build shell
Runtime
Source
Loaded At
Server Time
Runtime Hash
Attestations
Attestations (coming soon!):
  • GitHub Actions workflow provenance (SLSA)
  • Sigstore signatures (keyless OIDC)
  • Content bundle signatures
  • TUF metadata verification
Show raw JSON