Tools

Distrust develops open source tooling to help make the internet a safer place!

Rather than write the same document or tool 10 times and bill each client for it, we focus our unused retainer hours on open sourcing every document and tool we legally can, so we can focus our time with clients on their unique needs. If we are doing public work you would like to see more of, or that almost meets your needs, we would love to hear from you and figure out a path to see your needs met.

AirgapOS

https://git.distrust.co/public/airgap

A live buildroot based Linux distribution designed for managing secrets offline.

  • Deterministic binary verification
  • Small footprint (< 100MB)
  • Immutable and diskless
  • Network drivers removed

Keyfork

https://git.distrust.co/public/keyfork

An opinionated and modular toolchain for generating and managing a wide range of cryptographic keys offline and on smartcards from a shared bip39 mnemonic phrase..

  • BIP39 style key derivation from OS or hardware entropy
  • Sharding mechanism allows "M-of-N" recovery
  • Built deterministically
  • Intended for use with air-gapped systems

StageX

https://codeberg.org/stagex/stagex

Minimalism and security first repository of reproducible and multi-signed OCI images of common open source software toolchains full-source bootstrapped from Stage 0 all the way up.

  • Fully verifiable and deterministic build toolchain
  • Deterministic packages of commonly used software (rust, go, openssl, curl and many more)
  • Flexible drop in replacement for existing software
  • Available on dockerhub

EnclaveOS

https://git.distrust.co/public/enclaveos

A minimal, immutable, and deterministic Linux unikernel build system targeting various Trusted Execution Environments for use cases that require high security and accountability.

  • Immutable: Root filesystem is a CPIO filesystem extracted to a RamFS at boot
  • Minimal: < 5MB footprint and nothing is included but a kernel and your target binary by default
  • Deterministic: multiple people can reproduce the build and verify its integrity
  • Hardened: No TCP/IP network support, most unnecessary kernel features disabled and follows Kernel Self Protection Project recommendations

git-sig

https://git.distrust.co/public/gitsig

The simple multisig toolchain for git repos.

  • Attach any number of signatures to any given git ref
  • Verify git history contains a minimum threshold of unique commit signatures
  • Verify signatures belong to a defined GPG alias group
  • Verify code changes made since last time minimum valid signatures were present