Provenance-verified container packaging with cryptographic supply chain guarantees.
Cerro Torre is a SPARK/Ada-verified toolchain for packaging container images into cryptographically signed .ctp bundles. It provides complete provenance chain from source to deployment, integrating with Svalinn (gateway) and VΓΆrΓ°r (runtime) for verified container operations.
The name references Patagoniaβs most technically demanding peak. Cerro Torre stands for doing things properly: fair means, complete transparency, no shortcuts.
The container base image landscape offers:
-
Alpine: Minimal and excellent, but limited supply chain transparency
-
Wolfi: Strong security focus, but governed by a VC-backed company
Cerro Torre offers a third path:
| Principle | What It Means | |-----------|---------------| | Formally Verified | Core tooling written in Ada/SPARK with machine-checked proofs | | Democratically Governed | Multi-stakeholder cooperative, no corporate parent | | Radically Transparent | Complete cryptographic provenance for every package | | Format Agnostic | Import from Debian, Fedora, Alpine β not locked to any upstream | | Ethically Committed | The Palimpsest Covenant articulates our values |
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β IMPORTERS β
β βββββββββββ βββββββββββ βββββββββββ βββββββββββ β
β β Debian β β Fedora β β Alpine β β Nix β ... β
β β .dsc β β SRPM β βAPKBUILD β β .drv β β
β ββββββ¬βββββ ββββββ¬βββββ ββββββ¬βββββ ββββββ¬βββββ β
β β β β β β
β ββββββββββββββ΄ββββββ¬βββββββ΄βββββββββββββ β
β βΌ β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β CERRO TORRE MANIFEST (.ctp) β β
β β Declarative Β· Turing-Incomplete Β· Verifiable β β
β βββββββββββββββββββββββββββ¬ββββββββββββββββββββββββββββββββββ β
β βΌ β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β SPARK-VERIFIED BUILD CORE β β
β β Cryptographic Ops Β· Manifest Parsing Β· Provenance Chain β β
β βββββββββββββββββββββββββββ¬ββββββββββββββββββββββββββββββββββ β
β βΌ β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β ATTESTATIONS β β
β β in-toto Β· SBOM Β· Federated Transparency Logs β β
β βββββββββββββββββββββββββββ¬ββββββββββββββββββββββββββββββββββ β
β βΌ β
β EXPORTERS β
β βββββββββββ βββββββββββ βββββββββββ βββββββββββ β
β β OCI β β OSTree β β .deb β β .rpm β β
β β Images β β Commits β β Compat β β Compat β β
β βββββββββββ βββββββββββ βββββββββββ βββββββββββ β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββCerro Torre packages are defined in .ctp manifest files β a declarative, Turing-incomplete format designed for formal verification. Package definitions cannot contain arbitrary computation, making them analysable and provable.
See [spec/manifest-format.md](spec/manifest-format.md) for the full specification.
Primary: Debian β Chosen for governance alignment. Debian is genuinely community-governed with constitutional documents, elected leadership, and no corporate owner. Building on democratic foundations matters for a democratically-governed project.
Secondary: Fedora β For packages where Fedoraβs version is better maintained, and for SELinux reference policies.
Extensible: The importer architecture allows community contribution of additional sources (Alpine, Nix, Arch, etc.).
-
SELinux Enforcing: First-class SELinux support with auto-generated per-container policies
-
Threshold Signing: k-of-n keyholders required for releases; no single point of trust
-
Federated Transparency: Multiple independent log operators; threshold agreement required
-
Reproducible Builds: Any party can rebuild and verify packages
Cerro Torre tooling is dual-licensed under your choice of:
-
Palimpsest-MPL-1.0 License β Maximum permissiveness
-
AGPL-3.0-or-later β Copyleft with network provisions
The Palimpsest Covenant travels alongside as a values commitment (not a legal requirement). Community members are encouraged to adopt it.
Packages retain their upstream licenses.
Cerro Torre is owned by a multi-stakeholder cooperative with:
-
Maintainer Members: Active package/infrastructure maintainers (one person, one vote on technical decisions)
-
User Members: Organisations and individuals using Cerro Torre in production (vote on strategic direction)
-
Asset Lock: If dissolved, assets go to another cooperative or charity, never to private interests
-
Fork Protection: Forking is explicitly encouraged; the cooperative exists to be useful, not to control
See [governance/](governance/) for full documentation.
cerro-torre/
βββ spec/ # Specifications
β βββ manifest-format.md # .ctp format specification
β βββ provenance-chain.md # Attestation requirements
β βββ transparency-log.md # Federated log protocol
βββ governance/ # Cooperative documents
β βββ articles.md # Bylaws
β βββ covenant.md # Palimpsest Covenant
β βββ decisions/ # Decision records
βββ src/ # Ada/SPARK implementation
β βββ core/ # SPARK-verified (crypto, parsing, verification)
β βββ importers/ # Debian, Fedora, etc.
β βββ exporters/ # OCI, OSTree, etc.
β βββ build/ # Build orchestration
β βββ policy/ # SELinux generation
βββ manifests/ # Package manifests (.ctp)
βββ keys/ # Public keys and policies
βββ docs/ # DocumentationPhase 0: FoundationsβββMVP v0.1.0-alpha
| Component | Status | Description |
|---|---|---|
Manifest Parser |
Complete |
|
Crypto Core |
Complete |
SHA-256/SHA-512 (FIPS 180-4), Ed25519 signatures (RFC 8032) |
Bundle Packing |
Complete |
|
Bundle Verification |
Complete |
|
Trust Store |
Complete |
Local key management with trust levels |
Help System |
Complete |
|
Policy Engine |
In Progress |
Allow/deny rules for deployment |
Registry Operations |
Planned |
|
# Core commands
ct pack <image> -o <file> # Pack OCI image into .ctp bundle
ct verify <bundle.ctp> [--policy <file>] # Verify bundle
ct explain <bundle> # Show verification chain
# Runtime integration
ct run <bundle> [--runtime=svalinn] # Run via Svalinn/podman/docker
ct unpack <bundle> -o <dir> # Extract to OCI layout
# Key management
ct keygen [--id <name>] # Generate signing keypair
ct key list # List trusted keys
ct key import <file.pub> # Import public key
ct key trust <id> <level> # Set trust level
# Distribution
ct fetch <ref> -o <file> # Fetch from registry
ct push <bundle> <dest> # Push to registry
# Diagnostics
ct doctor # Check pipeline health
ct diff <old> <new> # Compare bundles
# Help
ct help [command] # Command help
ct version [--json] # Version info
ct man <topic> # Man-page style docs| Component | Role | Integration |
|---|---|---|
Svalinn |
Edge gateway |
Validates |
VΓΆrΓ°r |
Container runtime |
Verifies attestations, executes containers |
verified-container-spec |
Protocol specification |
Defines attestation formats |
# 1. Package an image with Cerro Torre
ct pack docker.io/library/nginx:1.26 -o nginx.ctp
# 2. Verify the bundle
ct verify nginx.ctp --policy strict.json
# 3. Run via Svalinn gateway (which delegates to VΓΆrΓ°r)
ct run nginx.ctp --runtime=svalinn
# Or run directly with VΓΆrΓ°r
vordr run nginx.ctp --verifycerro-torre/ βββ src/ β βββ core/ # SPARK-verified (crypto, parsing) β β βββ cerro_crypto.adb β β βββ cerro_manifest.adb β β βββ cerro_provenance.adb β β βββ cerro_trust_store.adb β βββ cli/ # Command-line interface β β βββ cerro_main.adb β β βββ cerro_cli.adb β βββ build/ # Bundle creation/verification β β βββ cerro_pack.adb β β βββ cerro_verify.adb β βββ importers/ # Source format importers β β βββ debian/ β β βββ fedora/ β β βββ alpine/ β βββ exporters/ # Output format exporters β β βββ oci/ β β βββ rpm-ostree/ β βββ policy/ # SELinux generation β βββ runtime/ # Runtime integration βββ spec/ # Specifications β βββ manifest-format.md βββ governance/ # Cooperative documents βββ cerro_torre.gpr # GNAT project file βββ README.adoc
Read the Palimpsest Covenant first. If those values resonate, see CONTRIBUTING.md.
