Asfaload aims to secure internet downloads by ensuring the integrity and authenticity of downloaded files. With attacks on the software supply chain becoming more common and more sophisticated, an effective and simple to use solution has to be found for both the developers and their users. All our published software is under the AGPLv3 or MPLv2, and allows for a self-hosted deployment.

The first building block of our solution is a mirror of checksums files, which helps detect modification of released files but is of no help in case of account compromise. That's why we are also working on an upcoming blockchain-based multi-user multi-factor signature scheme, though users will not be directly exposed to the blockchain. For end users, we develop a CLI downloader tool with its accompanying library at asfald. As for software developers, publishing a checksum file (with sha256sum or sha512sum) is sufficient to integrate with Asfaload. In this talk we will present the problem we are addressing, why it is important, how we are addressing it and what simple steps project authors can take to increase the security of their users.