- Reproducible Builds
- Userbase Consistency Verification
- Cryptographic Signatures
Reproducible builds, in practice, requires access to the source code, and furthermore being able to reliably and consistently produce a bit-for-bit deliverable. In PHP land, I've built a utility called Pharaoh to diff two .phar files to further this aim.
Userbase Consistency Verification is simply implemented by building a linked list atop a distributed Merkle tree (e.g. the Bitcoin block chain) of the SHA2-512/256 or BLAKE2b hashes, version ID, a timestamp, and any other metadata appropriate for permanently storing this information in a globally verifiable manner.
Cryptographic signatures are the easiest of the three legs of this triangle to solved: Just use crypto_sign() and crypto_sign_open() from Libsodium.
So far there aren't a lot of great tools available for #1 and #2. (Pharaoh is a narrow use-case; it will only help people who produce or consume .phar files in PHP environments.) If we want to achieve a verifiably secure internet, more research and development efforts should focus on these problems. (EdDSA solves #3 for now, and EdDSA-SPHINCS solves it in the distant future.)