Code Signing

To help prevent code injection the network is secured via x.509 certificates which are automatically generated upon account registration. Every time you commit a package, a merkle root will be generated using the SHA1 hash of all files.

The merkle root is signed with your SSH key and included within the commit, which is then verified by the network using chain of custody before the commit is allowed to proceed. This helps ensure only you and others you provide access to are capable of committing code to your repositories.

A public ledger of all commits including their digital signatures can be found on the ledger site at You may view a list of all commits of your or any account by visiting