HACKER Q&A
📣 SUPERCILEX

Is trusted client compute possible?


I'm wondering if I can have a client build some artifact and upload the artifact to a cache server that redistributes it. Of course the problem is that a malicious client could upload something evil, so I would need some way of proving that the client built the thing it was supposed to. Is it possible to trust client computation?

  👤 cjbprime Accepted Answer ✓
If you have a large client population, you could try something where you pick e.g. ten clients at random to build-and-upload the same artifact, and if they all come up with exactly the same artifact, and collusion between them is sufficiently implausible, you could decide to trust it.

Apple also has something for iOS called "App Attestation", where you could publish an app to do the building, and then if your server receives an upload from a successfully-signed app instance, you would know that the app code itself was not modified: https://developer.apple.com/documentation/devicecheck/establ...

This is all assuming you can't just do the build yourself to verify what they did. (If you could, why would you need them to upload it?)