The Core Argument
In December 2020, SolarWinds' build server was compromised. APT29 didn't breach source control—they owned the build environment itself. Malicious code was signed with legitimate certificates and shipped to 18,000 organizations. Code review didn't help. Approval workflows didn't help. The build system was the adversary.
Attestaattia, a new open-source project, proposes a blunt solution: treat every deployment as hostile until a human physically proves intent. Instead of trusting session tokens (which can be stolen), it requires a FIDO2 hardware key press for each production push. The YubiKey signs a cryptographic challenge tied to the specific commit hash. No touch, no deploy.
What's Different Here
This isn't feature flags or canary rollouts—those are software kill switches for after bad code ships. Attestia sits upstream: it asks whether you meant to ship at all. The physical separation matters. Early versions ran browser-based WebAuthn, but a compromised laptop could modify the commit hash before the signature. Version 2 moved approval to an air-gapped Raspberry Pi with an OLED screen showing the exact commit being signed. Physics, not policy.
The industry has largely settled on software-based controls: OIDC federation for short-lived credentials, GitOps for audit trails, feature flags for instant rollback. Statsig and LaunchDarkly dominate that market. Progressive delivery—ramping traffic from 1% to 100% with automated checks—handles most rollback scenarios in under a minute.
The Trade-Off
Hardware intent verification solves a real problem: session token theft. But it's overkill for most threat models. If your build environment is compromised to the point where you need physical attestation, you've already lost—the attacker controls your source of truth. Software kill switches are "reactive but sufficient" for the 80% case. Hardware adds operational friction (what happens when the YubiKey is in another building?) without addressing root causes like static secrets in CI/CD.
Worth watching if you're in high-trust environments—government, finance, critical infrastructure. For the rest, this is a well-engineered solution to a problem most teams won't prioritize until they're breached.