This site publishes full provenance for both the application server and the content bundle it’s currently serving. Everything on this page is derived from real build attestations and signatures - this is what I’m actually running and how it got here.
Application
The application server is a custom Go binary built with security and observability as primary concerns. This section displays provenance for the currently running binary, including source information, build attestations, vulnerability scans, SBOMs, licensing, and container metadata.
Webserver Source: linnemanlabs-web on GitHub
Build/Release System Source: build-system on GitHub
Content Bundle
The content bundle is a signed artifact containing all static HTML, CSS, JavaScript, and assets generated by Hugo. The server verifies bundle integrity at load time and exposes provenance information via API.
Website Source: linnemanlabs-site on GitHub
What’s next
This page currently covers application and content provenance. The cryptographic and transparency layer beneath the application is already self-hosted in the lab - Fulcio for keyless certificates, Rekor as the transparency log, TesseraCT as the certificate transparency log, and a Timestamp Authority for trusted timestamps, all rooted in an offline YubiKey-held CA with KMS-backed signing keys. Trust material is published at trust.linnemanlabs.com.
What’s still ahead is the layer below that - OS-enforced signed execution (IMA/EVM), dm-verity verified filesystems on golden images, kernel lockdown, UEFI Secure Boot, and TPM-based hardware attestation. The end goal is a verifiable chain from silicon to running application, where every layer’s integrity is cryptographically anchored to the one below it.