Binary Transparency (BT) adds cryptographic immutability and discoverability to package identifiers and metadata, and when applied to artifact registries, prevents registries from acting maliciously, e.g. by tampering with existing artifact versions or serving new malicious versions.

As usage of Binary Transparency is not widespread and overlaps with other related supply chain security projects, this guide will serve as an overview to BT, discussing threats mitigated by BT, case studies of where BT has been applied, and how BT compares to other solutions like code signing or attestations. If you attended the WG meeting where I presented on BT, this guide will be a far more detailed analysis of BT and should serve as a the source of truth for how we want to discuss BT applied to artifact registries.

An implementation of this guide will follow shortly, with a goal of turning the API into a spec for C2SP.