Three different documents, somehow need best of each: --- --- # Open Integrity Project - Git Inception Proof-of-Concepts (POCs) ## Introduction to the Open Integrity Project The _**Open Integrity Project**_ explores how Git repositories serve as a **cryptographic root of trust**, ensuring **integrity, provenance, and accountability** in software development. By integrating **assessment, authentication, affirmation, and audit mechanisms**, this project demonstrates how Git can establish **tamper-resistant and independently inspectable software records**. The goal of the Blockchain Commons' _**Open Integrity Project**_ is to advance **open, interoperable, and secure digital infrastructure** by establishing **cryptographic roots of trust**. Guided by the principles of **independence, resilience, privacy, and openness**, we empower individuals and organizations to build **verifiable, decentralized trust systems**. Through initiatives like this, Blockchain Commons upholds **human dignity in digital spaces**, enabling individuals to **securely manage their software, identity, and digital assets** while fostering **collaboration across decentralized environments**. ### **What This Proof-of-Concept Establishes** This PoC demonstrates how Git repositories, when combined with **strong cryptographic signatures and structured auditing processes**, become **distributed, platform-agnostic sources of truth**. This approach enables: - **Immutable proof-of-origin** for software artifacts. - **Tamper detection and commit integrity assessment**. - **Decentralized trust models** that function independently of any single hosting provider. To achieve this, the PoC implements **SSH-signed _Inception Commits_**, which serve as **the cryptographically verifiable foundation for repository history**. These commits: - **Ensure all future commits build on a secure and affirmed foundation.** - **Enable platform-agnostic inspection** across GitHub, GitLab, peer-to-peer Git networks, or even local environments. - **Create a cryptographically authenticated identifier (`did:repo:{SHA1}`)** that allows repositories to be referenced independently of hosting platforms. By applying **structured, decentralized trust mechanisms**, this PoC establishes **transparent, auditable repository initialization techniques** that reinforce **cryptographic integrity and provenance** in software development. ## **Key Concepts** ### **1. The _Inception Commit_: A Root of Trust for Software Repositories** The **_Inception Commit_ (commit 0)** serves as an **immutable foundation** for a repository’s history: - **Empty State:** The repository begins with no data (`git commit --allow-empty`). No changes are introduced in this commit beyond Git metadata, ensuring a deterministic SHA-1 root hash (`4b825dc642cb6eb9a060e54bf8d69288fbee4904`). - **Signed & Constrained:** This commit is **cryptographically signed** with the committer’s SSH key and uses **minimal metadata** to mitigate SHA-1 collision risks. - **Immutable Inspection:** Because it is **platform-agnostic**, this commit can be **authenticated, affirmed, and audited** regardless of where the repository is hosted. ### **2. Mitigating SHA-1 Weaknesses Through Constraint & Signing** While SHA-1 is cryptographically weak (~80-bit security), this approach compensates by: - **Enforcing tightly constrained commit details**, reducing the attack surface for potential SHA-1 collisions. - **Embedding a cryptographic SSH signature**, ensuring that even if a hash collision were possible, an attacker would also need to forge a valid SSH signature (~128-bit security). - **Requiring cryptographic authentication**, so any attempt to alter the _Inception Commit_ or its metadata would be immediately detectable. ### **3. Cryptographic Signing: Authenticity & Integrity at Every Stage** Every commit after the _Inception Commit_ requires an authorized **SSH signature**, which ensures: - **Proof of Authenticity:** Affirms that the repository’s history originates from a trusted source. - **Tamper Resistance:** Prevents unauthorized modifications to the commit history by requiring cryptographic authentication. - **Gradual Trust Expansion:** Enables **trust delegation** by introducing additional commit signers in a structured, auditable manner. ### **4. Governance & Trust Model** 1. **Default Trust**: Only the _Inception Signing_ Key is trusted initially, and has all privileges. 2. **Delegation of Trust**: Additional trusted keys can be authorized in `.repo/config/verification/allowed_commit_signers`. Other kinds of privileges (tags, binary release, etc.) can be authorized using additional files. 3. **Decentralized Governance**: Any authorized key can later be removed by trusted keys, including removal of inception key priviledges, allowing key rotation. ### **5. Distributed Inspection: Platform-Agnostic, Decentralized Trust** This methodology allows repositories to be assessed **independently of any hosting provider**: - **Unique Cryptographic Identifier:** Each repository can be referenced using `did:repo:{SHA1}`, enabling **trust validation across platforms**. - **Independent Auditing:** Repositories can be inspected locally, on GitHub/GitLab, or within **peer-to-peer networks**, or locally, without reliance on a centralized authority. - **Resilience Against Hosting Failures:** Even if a platform ceases operation, repositories remain independently inspectable and cryptographically affirmed. This system extends beyond **single-entity governance**, reinforcing a decentralized trust model where **no single provider controls inspection or assessment**. ## Audit Manual Walkthrough This repository demonstrates an _Inception Commit_, which establishes a cryptographic root of trust for this Git repository. Follow these steps to explore and verify its _Inception Commit_: 1. **Clone the Repository**: ```sh gh repo clone BlockchainCommons/open_integrity-git_inception_pocs cd open_integrity-git_inception_pocs ``` 2. **Locate the_Inception Commit_ (Commit 0) SHA-1 Identifier**: Retrieve the SHA-1 hash of the_Inception Commit_ (commit 0) with the following command: ```sh git rev-list --max-parents=0 HEAD ``` Expected Output: ```sh a3306efcb768baa6f414409b6b3575914986c8a6 ``` 2. **Inspect the _Inception Commit's_ Details**: You can inspect the full details of this_Inception Commit_: ```sh % git cat-file -p $(git rev-list --max-parents=0 HEAD) tree 4b825dc642cb6eb9a060e54bf8d69288fbee4904 author ChristopherA <ChristopherA@LifeWithAlacrity.com> 1735930944 -0800 committer SHA256:a61TkTtLFGEYOmdRMbpYGkZwXw2QUrGkAWp3dok8jcw <ChristopherA@LifeWithAlacrity.com> 1735930944 -0800 gpgsig -----BEGIN SSH SIGNATURE----- U1NIU0lHAAAAAQAAADMAAAALc3NoLWVkMjU1MTkAAAAgIz5gy/oWhp2G15wVysRKmrlkiH FnNggqTLwL7deTRLIAAAADZ2l0AAAAAAAAAAZzaGE1MTIAAABTAAAAC3NzaC1lZDI1NTE5 AAAAQLh/eQoRwX2QHcyLugKlCpGfHhCBrl7diUkbZg4llCnRjihy+OhE++Mm0NqTsUwdMj 3v6+9LQslOd2Sm8b/lowY= -----END SSH SIGNATURE----- Initialize repository and establish a SHA-1 root of trust Signed-off-by: @ChristopherA <ChristopherA@LifeWithAlacrity.com> This key certifies future commits' integrity and origin. Additional keys can be authorized to certify commits via the creation of a ./.repo/config/verification/allowed_commit_signers file. This file must added in a commit signed by the inception key, granting these keys the authority to certify commits, including the potential to remove the authority of the inception key. Once established, any changes to allowed_commit_signers must be certified by one of the previously approved signers. ``` Note that the "tree" is `4b825dc642cb6eb9a060e54bf8d69288fbee4904` - this hash proves that the repository is empty (and will be the same for all _Inception Commits_, as they are required to be empty). 3. **Verify the _Inception Commit_ Locally**: Run this command to confirm that the _Inception Commit_ is signed with a valid SSH key: ```sh git verify-commit $(git rev-list --max-parents=0 HEAD) ``` Expected output: ```sh Good "git" signature for @ChristopherA with ED25519 key SHA256:a61TkTtLFGEYOmdRMbpYGkZwXw2QUrGkAWp3dok8jcw ``` 4. **Inspect the Commit on GitHub**: Open the following URL in your browser to view the _Inception Commit_ on GitHub: ```sh open https://github.com/BlockchainCommons/open_integrity-git_inception_pocs/commit/$(git rev-list --max-parents=0 HEAD) ``` GitHub should display a green `Verified` badge, confirming that the signing key used for the commit is recognized as belonging to `@ChristopherA`. ![GitHub Verified Inception Commit](./images/GitHub_Verified_Inception_Commit.png) 5. **Confirm Signing Key via GitHub API**: Use GitHub’s API to list the signing keys associated with `@ChristopherA`: ```sh curl https://api.github.com/users/ChristopherA/ssh_signing_keys ``` Confirm that the fingerprint (`SHA256:a61TkTtLFGEYOmdRMbpYGkZwXw2QUrGkAWp3dok8jcw`) used to sign the _Inception Commit_ matches one of the signing keys for the user `@ChristopherA`. 6. **Verify Remaining Commits** Subsequent commits must either be signed by the same SSH key used for the _Inception Commit_ or by SSH keys explicitly authorized in a preceding commit’s `./.repo/config/verification/allowed_commit_signers` file. For example: ```sh open https://github.com/BlockchainCommons/open_integrity-git_inception_pocs/commit/b7d0013e4a2770363e4f33290188c0890e51fa6e ``` ![GitHub Verified Commit](./images/GitHub_Verified_Commit.png) ...is a commit, signed by the Inception Key, that adds a initial `./.repo/config/verification/allowed_commit_signers` file. _NOTE: Currently this example only re-authorizes the Inception Key, but could authorize other SSH keys, or even remove the authorization of the Inception Key to make commits._ ## Using the Audit Script (`audit_inception_commit-POC.sh`) The `audit_inception_commit-POC.sh` script audits the **integrity, cryptographic verification, and compliance** of an _Inception Commit_ within a Git repository. It evaluates adherence to **Open Integrity standards** by auditing key aspects of the repository across **Progressive Trust phases 2-5**. ### 1. Features of the Audit Script - **Assesses repository structure** to ensure an empty, constrained_Inception Commit_ (Phase 2: Wholeness). - **Authenticates cryptographic SSH signatures** for commit integrity (Phase 3: Proofs). - **Affirms committer identity using key fingerprints** (Phase 4: References). - **Audits repository compliance** with Open Integrity and GitHub standards (Phase 5: Requirements). - **Generates a detailed audit report** summarizing all verifications and findings. ## Running the Audit Script ### **1. Prerequisites** Before running the audit script, ensure you have: - **Git installed**: Required to inspect and verify commit history. - **An SSH key configured for signing**: The audit script verifies commit signatures. - **GitHub CLI (`gh`) installed and authenticated with GitHub**: Used for GitHub-specific compliance checks. ### 2. Running the Audit ```sh ./audit_inception_commit-POC.sh --verbose ``` The `--verbose` flag provides **detailed output** of each verification step. To **run a quiet audit** (minimal output): ```sh ./audit_inception_commit-POC.sh --quiet ``` To **prompt for GitHub compliance checks**: ```sh ./audit_inception_commit-POC.sh --interactive ``` ### 3. Example Audit Report ``` ./audit_inception_commit-POC.sh --verbose Inception Commit Audit Report 🔍 Evaluating overall inception commit compliance with standards... 📌 Wholeness Assessment: (Progressive Trust Phase 2) 📌 Assessing repository structure... 📄 Found inception commit a3306efcb768baa6f414409b6b3575914986c8a6 ✅ Repository Structure: Inception commit found 📌 Validating commit content... 📄 Tree hash matches empty commit requirements ✅ Content Validation: Commit is empty as required 📌 Validating message format... 📄 Found required initialization message and sign-off ✅ Format Validation: Commit message meets requirements 🔍 Cryptographic Proofs: (Progressive Trust Phase 3) 📌 Authenticating SSH signature... 📄 Signature authenticated against public key ✅ SSH Signature: Verified 🔍 Trust References: (Progressive Trust Phase 4) 📌 Affirming identity references... 📄 Extracting key fingerprint... 📄 Matched committer name to fingerprint ✅ Identity Check: Committer matches key fingerprint 🌐 Community Standards: (Progressive Trust Phase 5) 🌐 GitHub-specific compliance check available ❓ Check compliance with GitHub standards (opens GitHub page)? [y/N]: [N]: 📄 GitHub standards compliance URL available for review: https://github.com/BlockchainCommons/open_integrity-git_inception_pocs/commit/a3306efcb768baa6f414409b6b3575914986c8a6 🎯 Audit Complete: Local git repo is in compliance with Open Integrity specifications. ``` ## Audit Script Options The script supports additional options for flexibility: | **Option** | **Description** | |-----------------------|--------------------------------| | `--verbose` | Show detailed audit logs | | `--quiet` | Suppress most output, only show pass/fail summary | | `--interactive` | Prompt user for GitHub compliance check | | `--help` | Display script usage instructions | ## Interpreting Audit Results - ✅ **Pass**: The repository meets all criteria for an Open Integrity Inception Commit. - ❌ **Fail**: Issues were detected in **commit structure, cryptographic signatures, identity references, or compliance**. - ⚠️ **Warnings**: Potential configuration issues that do not immediately compromise trust. To investigate failures, re-run the script with `--verbose` for full diagnostic details. ## Next Steps After an Audit 1. **If the audit passes** ✅: - Your repository is compliant with **Open Integrity standards**. - You can **publish and distribute** repositories derived _Inception Commit_ with confidence. 2. **If the audit fails** ❌: - Review the **failed checks** and re-run the script with `--verbose`. - Ensure your commit is **signed with the correct SSH key**. - Confirm that **GitHub recognizes the signing key** if applicable. 3. **If compliance warnings appear** ⚠️: - Check the **audit report details** for recommendations. - Address configuration issues **before making additional commits**. ## Roadmap: Advancing the Vision The following roadmap outlines the planned enhancements and vision for this proof-of-concept, focusing on validation, adoption, and integration into decentralized identity systems. ### **Short-Term Goals** #### **1. Commit Assessment & Audit Scripts** - Develop scripts to **assess commit structure and signers** against configurations in `./.repo/config/verification/allowed_commit_signers`, including: - Add or remove signers (including the Inception Signing Key). - Support multiple authorized signing keys for a single authorized commit signer. - Support multiple authorized commit signers. - Create tools to **audit commit history** for adherence to governance policies and structured trust models. - Test assessment and audit scripts across multiple platforms, such as GitHub, GitLab, and peer-to-peer Git systems. - Ensure compatibility with platform-specific authentication mechanisms. - Detect and prevent trust regressions in new commits, particularly when Git repositories are forked. #### **2. Creation & Configuration Tools** - Provide tooling to: - Initialize repositories with a valid **_Inception Commit_**. - Manage commit signers (adding, removing, modifying trusted keys). - Enforce audit checks before merging branches and forks. - Implement scheduled key rotation mechanisms. - Develop scripts to assist in **configuring a secure Git and SSH signing environment**. - Detect existing SSH keys and recommend best practices for key separation. - Add support for hardware-based signing (e.g., macOS Keychain, FIDO/YubiKey, TPM). #### **3. Tag and Binary Release Signing** - Support distinct SSH key sets in `./.repo/config/verification/`: - **`allowed_tag_signers`** → Authorizes SSH keys for tagging commits. - **`allowed_release_signers`** → Permits detached SSH signatures for binary releases. - Implement automated **proof-of-integrity reports** for software binaries. - **Ensure deterministic build signing**, enforcing consistent build hashes for reproducibility. ### **Medium-Term Goals** #### **1. Trust Affirmation & Key Reputation** - **Assess SSH signing keys** against those registered publicly on multiple platforms, such as GitHub and GitLab. - **Investigate decentralized mechanisms for trust affirmation**, including peer-to-peer key exchange (aka "web of trust"). - **Explore key reputation models**, evaluating: - Endorsements from trusted signers. - Historical integrity and usage patterns of the signing key. - **Automate key reputation analysis**: - Fetch and cross-reference trust scores (e.g., number of commits signed, endorsements). - Detect inconsistent signers (e.g., multiple keys with conflicting trust levels). - **Support threshold-based trust affirmation**, requiring multiple endorsements before a key is fully trusted. #### **2. Standardized `.repo` Folder** - Define a structured format for the `.repo` folder to organize: - Configuration files. - Governance rules (e.g., `allowed_commit_signers`). - Audit scripts and Git hooks. - **DRAFT Reference:** [Git Repo Directory Structure](./git_repo_directory_structure.md). #### **3. Git Extensibility** - Develop a standard set of Git aliases, such as: ```sh git config --global alias.inception.commit "!git rev-list --max-parents=0 HEAD" ``` - Extend Git with plugins and CLI enhancements that allow additional functionality. - Implement `git inception` as a trust-aware alternative to `git init`. - Introduce `git inception --audit HEAD` to assess trust across all commits in the repository. #### **4. Git Hooks** - Create platform-agnostic Git hooks to enforce governance policies: - Pre-commit hooks for affirming SSH signatures. - Pre-receive and update hooks for assessing commit policies before accepting changes. - Leverage additional capabilities of platform-specific functionality, such as GitHub Actions. - Integrate with CI/CD workflows to automate **trust assessment before deployment**. #### **5. Repository Resilience & Recovery** - **Distributed Archival Mechanisms**: - Ensure repositories can be reconstructed from **Inception Commits**, even if hosting platforms fail. - Integrate repository backup options with **IPFS, Bittorrent, or decentralized storage**. - **Emergency Key Recovery Options**: - Support **SSKR-based threshold secret sharing**, social key recovery, and offline SSH key backups. - Establish **failsafe key rotation** procedures for lost or compromised trusted keys. - Document and **automate secure key revocation workflows**. ### **Long-Term Goals** #### **1. Personal Roots of Trust** - Extend **Open Integrity Inception Commits** to personal Git repositories as **decentralized roots of trust** for software developers. - **Enable peer-to-peer key affirmation** through personal Git repositories, supporting decentralized attestations and trust models. - **Investigate secure key distribution mechanisms**, including: - Leveraging **Bittorrent’s Mainline Distributed Hash Table (DHT)** for distributing mutable identity controller documents securely and efficiently. - Supporting **Ed25519 keys** for cryptographic signing in **DHT-based and SSH trust models**. #### **2. W3C DID Standards** - **Integrate Git repositories with Decentralized Identifiers (DIDs)**: - Investigate integrating **SSH keys** into the **W3C DID 1.1 specification** as an authentication method. - Develop the `did:repo` method specification and pursue formal registration. - Demonstrate how **DID Controller Documents** can be derived from **Git repository commit history**, reinforcing the link between cryptographic roots of trust and decentralized identity models. - Collaborate with **DID resolvers** to enable support for `did:repo`-based identifiers. #### **3. Broader Adoption** - **Publish educational resources and real-world use cases** to encourage adoption by open-source projects and enterprises. - **Demonstrate the role of cryptographic roots of trust** in strengthening **software provenance, governance models, and integrity**. - **Promote industry-wide adoption of decentralized trust models**, encouraging software maintainers and organizations to adopt **Progressive Trust** for repository management. #### **4. Trust Manifest Files** - **Investigate and define standardized cryptographic trust manifests** (e.g., `repo-trust-manifest.env`) to support: - **Elidable privacy mechanisms** for sensitive commit operations, allowing selective disclosure of authorized keys. - **Governance models for multi-party authorization**, including: - Privacy-preserving cryptographic techniques (e.g., **MPC threshold protocols like FROST**). - Multi-signer repository models that enforce **progressive delegation of trust**. - **Structured audit trails for repository security**, ensuring transparency while preserving contributor privacy. ## License & Copyright Unless otherwise noted (either in this `/README.md` or in the file's header comments) the contents of this repository are Copyright ©2025 by Blockchain Commons, LLC, and are licensed under the BSD-2-Clause Plus Patent License. For full licensing details, see: [LICENSE](https://spdx.org/licenses/BSD-2-Clause-Patent.html). In most cases, the authors, copyright, and license for each file reside in header comments in the source code. When it does not, we have attempted to attribute it accurately in the **Credits and Contributor** section below. ## Version & Project Status ### Version 0.1.00 _(Last Updated: 2024-01-30)_ **Early Research 📙 & Proof-of-Concept:** This is the **initial pre-release** of the **_Open Integrity Project’s_** **Git Inception Proof-of-Concept**, marking its first publicly available version. See [Blockchain Commons' Development Phases](https://github.com/BlockchainCommons/Community/blob/master/release-path.md) for more details on project status levels. #### Release Scope - Establishes **Inception Commits** as a cryptographic root of trust. - Defines initial **trust models** based on **Progressive Trust Lifecycle**. - Introduces **potential governance structures** for trusted commit signers. - Provides **early-stage scripts** for: - **Commit structure assessment**. - **Signer affirmation**. - **Repository audit mechanisms**. - Includes **Proof-of-Concept code** that does not yet meet our standards for reference code. - Offers **exploratory research** for **community review and feedback**. #### Stability & Expectations - **Not production-ready** – This is an experimental release. - **Major breaking changes expected** before reaching **1.0.0 stable**. - Seeking **community feedback, testing, and collaboration** to refine: - Concept. - Audit mechanisms. - Trust models. - Repository governance structures. ## Credits and Contributors The following people directly contributed to this repository. | Name | Role | Github | Email | GPG Fingerprint | | ----------------- | ------------------- | ------------------------------------------------- | ------------------------------------- | -------------------------------------------------- | | Christopher Allen | Principal Architect | [@ChristopherA](https://github.com/ChristopherA) | \<ChristopherA@LifeWithAlacrity.com\> | FDFE 14A5 4ECB 30FC 5D22 74EF F8D3 6C91 3574 05ED | You can add your name to these credits by getting involved. The first step is learning how to contribute from our [CONTRIBUTING.md](./CONTRIBUTING.md) documentation. We invite the open-source community to collaborate — share ideas for improvement, contribute tools or scripts, and help sustain this vision through financial support. 1. **Suggestions**: - Share ideas for improving the proof-of-concept or extending its applications. 2. **Code Contributions**: - Develop scripts, hooks, or tools that align with this vision. If this resonates with you, consider collaborating with us by contributing code, sharing feedback, or sponsoring Blockchain Commons. ## Other Questions & Problems As an open-source, open-development community, Blockchain Commons does not have the resources to provide direct support of our projects. Please consider our [Discussions](https://github.com/orgs/BlockchainCommons/discussions) area on Github as a locale where you might get answers to questions from our developer community. Alternatively, please use this repository's [issues](https://github.com/BlockchainCommons/open_integrity-git_inception_pocs/issues) feature. Unfortunately, we can not make any promises on response time. If your company requires support to use our projects, please feel free to contact us directly about options. We may be able to offer you a direct contract for support, or from one of our contributors, or we might be able to point you to another entity who can offer the contractual support that you need. ## Sponsor the _Open Integrity Project_ Blockchain Commons advocates for open, interoperable, secure, and compassionate digital infrastructure to enable individuals to control their digital destiny. You can support us financially via the [GitHub Sponsor Page](https://github.com/sponsors/BlockchainCommons) or by making a one-time donation. This is more than a transaction--supporting Blockchain Commons means joining a movement to advance digital civil liberties and human rights, foster the open web, and empower individuals with secure, human-centered digital tools. By joining us, you become part of a network advocating for the commons and can contribute to shaping the future. ## Responsible Disclosure We want to keep all of our software safe for everyone. If you have discovered a security vulnerability, we appreciate your help in disclosing it to us in a responsible manner. We are unfortunately not able to offer bug bounties at this time. We do ask that you offer us good faith and use best efforts not to leak information or harm any user, their data, or our developer community. Please give us a reasonable amount of time to fix the issue before you publish it. Do not defraud our users or us in the process of discovery. We promise not to bring legal action against researchers who point out a problem provided they do their best to follow the these guidelines. ### Reporting a Vulnerability Please report suspected security vulnerabilities in private via email to team@BlockchainCommons.com (do not use this email for support). Please do NOT create publicly viewable issues for suspected security vulnerabilities. The following keys may be used to communicate sensitive information to developers: | Name | Email | Fingerprint | | ----------------- | ------------------------------------- | ---------------------------------------------------| | Christopher Allen | \<ChristopherA@LifeWithAlacrity.com\> | FDFE 14A5 4ECB 30FC 5D22 74EF F8D3 6C91 3574 05ED | You can import a key by running the following command with that individual’s fingerprint: `gpg --recv-keys "<fingerprint>"` Ensure that you put quotes around fingerprints that contain spaces. ## Contact Details - Christopher Allen - Email: [ChristopherA@LifeWithAlacrity.com](mailto:ChristopherA@LifeWithAlacrity.com) - GitHub: [@ChristopherA](https://github.com/ChristopherA) - Twitter: [@ChristopherA](https://twitter.com/ChristopherA) - Bluesky: [@ChristopherA](https://bsky.app/profile/christophera.bsky.social) - Professional Blog: [Life With Alacrity](https://www.LifeWithAlacrity.com) - Blockchain Commons LLC - Email: [support@BlockchainCommons.com](mailto:support@BlockchainCommons.com) - [Main Website](https://www.BlockchainCommons.com) - [Developer Website](https://developer.BlockchainCommons.com) - [GitHub Community](https://github.com/BlockchainCommons) --- --- # **Open Integrity: Cryptographic Trust for Open Software Development** # **Open Integrity: Establishing a Cryptographic Root of Trust in Git Repositories** ## **Introduction** Software today is built on **trust**, but trust without verification is fragile. Who wrote this code? Has it been altered? Can I prove its authenticity years from now? Traditional Git workflows assume a level of good faith, but they don’t prevent **history tampering, unauthorized modifications, or signer impersonation**. Git allows users to **freely set commit authorship**, which means that: - **Commits can be forged**, with no cryptographic proof that the stated author actually made the change. - **Unsigned commits can be merged into repositories**, breaking the integrity of otherwise verified repositories. - **Feature branches can be deleted after merging**, erasing cryptographic proof that commits were originally signed. - **Rewrite attacks** allow history to be modified or deleted without detection. The **Open Integrity Project** solves these problems by enforcing **progressive cryptographic trust** in Git repositories, ensuring that: 1. **Every commit is signed, and every signer is verified.** 2. **Only authorized contributors can sign commits.** 3. **Commit history remains tamper-evident and auditable.** 4. **Cryptographic trust remains decentralized and independent of GitHub, GitLab, or other hosting providers.** By combining **SSH-signed commits, progressive trust expansion, and cryptographic governance**, Open Integrity ensures that **repository history remains verifiable—forever**. ## **The Inception Commit: A Cryptographic Root of Trust** A repository’s **first commit matters**. It sets the foundation for everything that follows. In Open Integrity, the first commit—**the Inception Commit**—acts as a **cryptographic root of trust**. - It’s an **empty commit** (`git commit --allow-empty`)—ensuring a deterministic hash. - It’s **signed by the repository’s first trusted key**, creating a **verifiable origin**. - It’s **tamper-resistant**—if history is rewritten, it’s immediately detectable. **Example Output:** 🔹 Commit: #a3306ef [🏁 Inception Commit] (Signed ✅) ├─ Message: "Initialize repository and establish a SHA-1 root of trust" ├─ Signed by: @a61TkTtL... (Alice using Device 1 <alice@example.com>) This commit **ensures that every future commit builds on a secure, verifiable foundation**. ## **Expanding Trust: Adding Authorized Signers** A repository created with Open Integrity starts with **only one authorized signer**. However, most projects require multiple contributors. Open Integrity enables **controlled, auditable trust expansion** by allowing **authorized committers to delegate signing authority**. ### **Adding a Second Device for the Same User** Alice knows that a single key isn’t enough. Maybe she develops on both a laptop and a desktop. Instead of **reusing one SSH key across devices**, she adds a second **device-specific key** for security. **Example Output:** 🔹 Commit: #b24d9c1 [🔑 New Allowed Commit Signers File] (Signed ✅) ├─ Message: "Added second device key for Alice" ├─ Signed by: @a61TkTtL... (Alice using Device 1 <alice@example.com>) ├─ New Authorized Signers: - @a61TkTtL... (Alice using Device 1 <alice@example.com>) - @f84PmWnY... (Alice using Device 2 <alice@example.com>) At this point, **Alice can sign commits from either of her devices**, but no one else is authorized yet. ### **Adding Additional Trusted Contributors** Alice now wants to bring in **Bob and Charlie** as trusted contributors. Open Integrity allows her to do this **securely and transparently**. **Example Output:** 🔹 Commit: #f75e3b9 [🔑 Added Bob and Charlie as Signers] (Signed ✅) ├─ Message: "Added Bob and Charlie to allowed commit signers" ├─ Signed by: @a61TkTtL... (Alice using Device 1 <alice@example.com>) ├─ New Authorized Signers: - @a61TkTtL... (Alice using Device 1 <alice@example.com>) - @b73RkKpQ... (Bob using Work Laptop <bob@example.com>) - @c58XmWpL... (Charlie using Home PC <charlie@example.com>) Bob and Charlie can now **contribute while maintaining cryptographic accountability**. ## **Key Rotation: Removing a Compromised or Unused Key** Over time, trusted keys may need to be **removed, rotated, or revoked**. Open Integrity ensures that this process happens **in a structured, transparent way**. **Example Output:** 🔹 Commit: #c3d7f12 [🔄 Key Rotation: Removed Alice’s Second Device] (Signed ✅) ├─ Message: "Revoked second device key" ├─ Signed by: @a61TkTtL... (Alice using Device 1 <alice@example.com>) ├─ 🗑️ Alice’s second device key (@f84PmWnY...) is no longer authorized. If an unauthorized user attempts to commit with a revoked key: 🔹 Commit: #e9a1b78 [❌ Invalid Signature - Not Authorized!] ├─ Message: "Fix security vulnerability" ├─ Signed by: @f84PmWnY... (Alice using Device 2 <alice@example.com>) ├─ 🚨 ERROR: Commit was signed using a previously revoked key! By **removing unauthorized signers in a structured way**, Open Integrity prevents **key compromise attacks**. ## **Merge Commit Verification: Ensuring Authorship Integrity** Merging branches can introduce uncertainty. Did the original author sign off? Was the commit modified? Open Integrity ensures that **original authorship remains verifiable**. **Example Output:** ``` 🔹 Commit: #fa34d76 [🔀 Merge Commit with Verified Author] (Signed ✅) ├─ Message: "Merge feature-branch: Added authentication layer" ├─ Signed by: @c58XmWpL... (Charlie using Home PC <charlie@example.com>) ├─ Original Author: @e83TkLqM... (Eve using Dev Machine <eve@example.com>) ├─ Author Signature Verified From: ./config/verification/author_signatures If an **author’s signature is lost**, Open Integrity **flags it, ensuring transparency**. 🔹 Commit: #g61x3p4 [⚠️ Merge Commit with Lost Author Signature] ├─ Message: "Merge feature-branch: Database optimization" ├─ Signed by: @b73RkKpQ... (Bob using Work Laptop <bob@example.com>) ├─ Original Author: @e83TkLqM... (Eve using Dev Machine <eve@example.com>) ├─ ⚠️ WARNING: Original commit signature could not be found (likely due to squash/rebase) ``` #### In Summary ``` # Commit Signed By Status Message Special Event ---------------------------------------------------------------------------------------------------- 0 #a3306ef @a61TkTtL... ✅ Initialize repository... 🏁 Inception Commit 1 #d74f9b2 @a61TkTtL... ✅ Fix typo in README 2 #b24d9c1 @a61TkTtL... ✅ Initial allowed_commit... 🔑 New Allowed Commit Signers File 3 #f75e3b9 @b73RkKpQ... ✅ Refactor logging system 4 #c3d7f12 @c58XmWpL... ✅ Rotate out Alice from... 🔄 Key Rotation (🗑️ Removed Alice) 5 #e9a1b78 @a61TkTtL... ❌ Fix security vulnerab... 🚨 Unauthorized Signature 6 #fa34d76 @c58XmWpL... ✅ Merge feature-branch... 🔀 Verified Author (✔️) 7 #g61x3p4 @b73RkKpQ... ⚠️ Merge feature-branch... ⚠️ Lost Author Signature ✅ **Total Commits Checked:** 8 ✅ **Commits with Valid Signatures:** 6 ❌ **Commits with Unauthorized Signers:** 1 🔄 **Key Rotation Events:** 1 (Alice removed) 🔀 **Merge Commits with Verified Authors:** 1 ⚠️ **Merge Commits with Lost Author Signatures:** 1 ``` Open Integrity ensures **every commit is signed, verifiable, and tamper-resistant—forever**. === # Open Integrity: Cryptographic Trust for Git Repositories ## The Core Challenge Git is a powerful **distributed version control system**, but its default configuration lacks **cryptographic enforcement of commit authenticity, history integrity, and repository provenance**. While Git efficiently tracks changes, it does not provide built-in mechanisms to prevent **forged authorship, unauthorized modifications, or tampering with repository history**. Without cryptographic trust, repositories face several risks: - **Commit authorship can be forged.** Any user can configure Git with a fake name and email, making it appear as though someone else authored a commit. - **Unsigned commits provide no cryptographic proof of origin.** Git does not enforce commit signing, meaning anyone can claim authorship without cryptographic verification. - **Unsigned commits can be merged into signed repositories.** Even if a repository enforces commit signing, unsigned commits can still be merged without triggering a verification failure. - **Commit history can be rewritten.** Unless explicitly protected, Git allows history to be altered or deleted, making it possible for attackers—or even well-intentioned users—to modify past commits without detection. - **Feature branches may be deleted after merging.** Once a branch is merged and deleted, it may be impossible to verify whether the original commits were properly signed before merging. These weaknesses make it difficult to **verify the trustworthiness of a repository over time**, impacting both open-source projects and enterprise software development. ## The Minimal Viable Architecture (MVA) ### Establishing the Root of Trust A Git repository's **first commit** is a critical **trust anchor**, yet Git does not require it to be **signed or immutable**. This creates vulnerabilities such as: - **Unsigned first commits allow repository forgery.** Without a cryptographic signature, anyone can create a repository and claim it as authoritative. - **No built-in method to verify repository origin.** If a repository is cloned and altered, there is no cryptographic link to its original creator. - **First commits can be rewritten.** An attacker can modify a repository's history, effectively changing its origin without detection. Open Integrity introduces the **Inception Commit** pattern that leverages Git's native capabilities: # Create and sign the Inception Commit git init git config user.signingkey "$(ssh-keygen -lf ~/.ssh/id_ed25519 | awk '{print $2}')" git commit --allow-empty -S -m "Initialize repository and establish a SHA-1 root of trust" The Inception Commit establishes an immutable foundation: 🔹 Commit: #a3306ef [🏁 Inception Commit] (Signed ✅) ├─ Message: "Initialize repository and establish a SHA-1 root of trust" ├─ Signed by: @a61TkTtL... (Alice using Device 1) ├─ Timestamp: 2024-02-12T14:30:00Z By establishing an **immutable, cryptographically signed origin**, this commit ensures that all future commits build upon a secure and verifiable foundation. ### Governance for Trusted Commit Signers Git does not natively track **who is authorized to sign commits**, leading to these risks: - **Any developer with push access can commit, regardless of trust status.** - **There is no built-in way to enforce commit signer governance.** - **Compromised keys can continue to sign commits indefinitely.** - **Git does not provide an auditable way to delegate or revoke commit signing permissions.** To mitigate these issues, Open Integrity introduces an **Allowed Commit Signers File**, defining **who is authorized to sign commits**: # Configure allowed signers verification git config --local trusted.ssh.allowedSignersFile .github/allowed_signers # Install pre-receive hook for validation cat > .git/hooks/pre-receive <<'EOF' #!/bin/sh while read oldrev newrev refname; do verify_authorized_signer $newrev done EOF The Allowed Signers file establishes the trust hierarchy: 🔹 Commit: #b24d9c1 [🔑 New Allowed Commit Signers File] (Signed ✅) ├─ Message: "Added second device key for Alice" ├─ Signed by: @a61TkTtL... (Alice using Device 1) ├─ New Authorized Signers: - @a61TkTtL... (Alice using Device 1) - @f84PmWnY... (Alice using Device 2) ### Key Rotation and Trust Revocation Git does not provide a way to **manage key expiration or revocation**, creating risks such as: - **A compromised SSH key remains valid indefinitely.** - **Old keys remain trusted unless manually removed.** - **Revoked keys are not automatically rejected by Git.** - **If a key is revoked, Git does not automatically reject future commits signed by it.** Open Integrity enforces **structured key rotation** using Git's native timestamping and notes features: # Record key authorization with timestamp git notes --ref=key-history add -m "Authorized: $(date -u +"%Y-%m-%dT%H:%M:%SZ") $keyid" When a key is revoked: 🔹 Commit: #c3d7f12 [🔄 Key Rotation: Removed Alice's Second Device] (Signed ✅) ├─ Message: "Revoked second device key" ├─ Signed by: @a61TkTtL... (Alice using Device 1) ├─ 🗑️ Alice's second device key (@f84PmWnY...) is no longer authorized. If someone attempts to use a revoked key: 🔹 Commit: #e9a1b78 [❌ Invalid Signature - Not Authorized!] ├─ Message: "Fix security vulnerability" ├─ Signed by: @f84PmWnY... (Alice using Device 2) ├─ 🚨 ERROR: Commit was signed using a previously revoked key! ### Merge Process Verification Git does not validate whether the **original commits in a merged branch were properly signed**. This creates multiple risks: - **Unsigned commits can be merged into an otherwise signed repository.** - **Feature branches may be deleted after merging, erasing verification records.** - **Squash and rebase merges strip commit signatures, losing authorship proof.** Open Integrity preserves signature chains through merges: # During merge, verify and preserve signatures git merge feature-branch --verify-signatures git notes --ref=signatures add -m "$(git verify-commit HEAD)" $commit Merges maintain full verification records: 🔹 Commit: #fa34d76 [🔀 Merge Commit with Verified Author] (Signed ✅) ├─ Signed by: @c58XmWpL... (Charlie) ├─ Original Author: @e83TkLqM... (Eve) ├─ Author Signature Verified From: ./config/verification/author_signatures If signatures are lost in a squash/rebase: 🔹 Commit: #g61x3p4 [⚠️ Merge Commit with Lost Author Signature] ├─ Signed by: @b73RkKpQ... (Bob) ├─ Original Author: @e83TkLqM... (Eve) ├─ ⚠️ WARNING: Original commit signature could not be found (likely due to squash/rebase) ## Future Opportunities While the **Minimal Viable Architecture (MVA)** of Open Integrity secures commit authenticity, signer governance, key rotation, and repository provenance, additional opportunities can further strengthen resilience, governance, and decentralized trust. ### Multi-Source Key Authentication Currently, Open Integrity relies on manually maintained lists of authorized signing keys, but this model does not account for broader authentication sources. There is no **distributed way to verify commit signers across multiple independent trust networks**. To expand trust verification, Open Integrity could integrate **multi-source key authentication**: - Keys could be **verified against multiple sources**, including: - **GitHub's authorized signing keys API** - **Peer-to-peer key exchanges (web of trust)** - **Decentralized identity systems** - **Other Open Integrity repositories** - This approach would enable **cross-repository trust validation**, allowing repositories to independently verify commit signers without relying on a single source. ### Repository Resilience Git repositories are tied to hosting providers like GitHub or GitLab. If a repository is removed, censored, or lost due to platform failure, it may become inaccessible. There is no built-in way to ensure repositories remain available and cryptographically verifiable over time. To prevent this, Open Integrity could introduce **decentralized archival mechanisms**: - Repositories could be stored on **IPFS, Bittorrent, or blockchain-based storage** to ensure long-term resilience - **Cryptographic fingerprints** could allow repositories to be reassembled and independently verified, even if they are relocated or cloned - Automated **backup scripts** could periodically push repositories to decentralized networks ### Personal Developer Trust Roots While Open Integrity ensures cryptographic trust within a repository, individual developers have no way to **cryptographically prove authorship across multiple repositories**. Git lacks a native mechanism for asserting a developer's contributions across different projects. To address this, Open Integrity could establish **personal cryptographic roots of trust**: - Developers could generate a **signed root of trust**, enabling them to prove authorship across repositories - **Cross-repository attestations** could link a developer's past work to their identity in a verifiable way - **Peer-to-peer key affirmation** could allow developers to cryptographically endorse each other's identities, creating a decentralized web of trust ### Repository Identity Standards Git repositories are identified only by **commit hashes**, but: - **Repositories can be cloned, modified, and re-uploaded under a different name** - **There is no cryptographic fingerprint linking a repository to its original creator** - **Two different repositories can share the same commit history if they originated from the same base commits** Open Integrity could introduce **`did:repo` identifiers** to solve this problem: - Repositories could be linked to **Decentralized Identifiers (DIDs)**, ensuring they remain verifiable outside of hosting platforms - A **DID Controller Document** could provide a cryptographic record of ownership and governance - Repository verification could become **self-sovereign**, independent of any single hosting provider ### Independent Auditing Capabilities While Git is decentralized, most verification processes depend on **platform-specific tools like GitHub or GitLab**: - **These platforms display commit signatures, but do not enforce them** - **If a repository is moved, verification data may be lost** - **There is no decentralized method for verifying a repository's trust status** Open Integrity ensures: - **Repositories remain cryptographically verifiable, even if moved to a new platform** - **Verification does not depend on a centralized entity** - **Independent audits can confirm repository authenticity** ## Conclusion Open Integrity establishes cryptographic trust in Git repositories by securing **commit authenticity, key governance, and repository provenance**. As adoption grows, additional advancements—**multi-source key verification, decentralized archival, personal trust attestations, DID integration, and trust manifest files**—can further transform Open Integrity into a **self-sovereign, platform-independent trust framework** for verifiable software provenance.