# 2025-11-12 Update ## What's New? ### `envelope` tool: Make envelope XID document self-signed by default I decided not to do it "by default" because for many purposes you don't want to sign it every time; you just want to sign it once before sending it (probably in the same operation where you advance the provenance mark, see below) As the signing functions evolve they will more flexibly choose the key to use for signing or verification. Recall that only keys *authorized* to sign revisions to a XID document should be allowed to verify against the document, and to do this correctly the history of XID document revisions needs to be available via some mechanism so the provenance of such permission delegations can be determined. For now the functionality of signing and verifying against the inception key is useful (since the inception key must always be bound to the XID identifier) and sufficient for teaching about basic signing and verification. #### Updated documentation See [Working with Signed XID Documents](https://github.com/BlockchainCommons/bc-envelope-cli-rust/blob/master/docs/XID.md#working-with-signed-xid-documents) for updated documentation on signing and verifying XID documents, including examples. #### Signing XID documents - `envelope xid` commands that read or write XID documents now have `--sign <option>` with `none` (default) or `inception` as possible values. - Using `--sign inception` causes the output envelope to bear the signature of the inception key, which must be in a `key` assertion in the XID document. - Alternatively the output XID document can be signed with any key `--signing-key <key>` can be provided as a `ur:crypto-prvkeys` or a `ur:signing-private-key`. (NOTE: I consider this to be an experimental feature, and it may change. I don't recommend using it for now, sticking to signing and verifying with the inception key only) - If the signing private key is encrypted, then the usual password options must be used (e.g., `--encrypt-password`) must be used to successfully sign. #### Verifying XID documents - `envelope xid` commands that read XID documents now have a `--verify <option>` with `none` (default) or `inception` as possible values. - Using `--verify none` the default will successfully read any XID document, ignoring its signature if any. - Using `--verify inception` will verify the XID document's signature against the document's inception key, which must be in a `key` assertion in the XID document. #### Future work Right now the signing and verification options are bound to functions that read and write XID documents. There should probably also be `xid sign` and `xid verify` commands that *only* sign or verify a XID document. ### `envelope` tool: Provide way to advance XID document provenance mark using embedded or externally-provided generator The new `xid provenance` subcommand provides two new functions: - `xid provenance get` extracts the embedded provenance mark (if any) and returns it as a `ur:provenance/...`. - `xid provenance next` reads a XID document, uses the embedded generator to generate the next mark, and updates the mark. - Supports the same decryption and re-encryption options you use with other commands to keep private keys and the generator encrypted within the XID document at rest. See [XID Documents: Working with Provenance Marks](https://github.com/BlockchainCommons/bc-envelope-cli-rust/blob/master/docs/XID.md#working-with-provenance-marks) for documentation including examples. #### Future Work Currently `xid provenance next` has a `--generator <envelope>` option to provide an external generator, but this is an experimental feature. There isn't currently a good way to create or extract such generators independently. Right now advancing the provenance mark using the embedded generator is the supported path. ### `provenance` tool: Afford validation series provenance marks in various forms The `provenance` tool now has a flexible `validate` command that takes (or extracts) a series of provenance marks and produces a report as to whether they are valid: - Whether the genesis mark is present - How many different chains are present in the provided marks - Whether any gaps exist in any of the provided chains - Whether any other validation issues exist, such as dates of successive marks decreasing, or the hash of a preceding mark not being reproducible with the key of the following mark. - Generally, no output means complete success: a single chain from genesis mark, with no other issues The input formats of the marks are flexible: - You can just provide them as arguments on the command line (they do not have to be in sequence number order): ``` provenance validate ur:provenance/... ur:provenance... ... ``` - You can provide the `--dir <dir>` option, in which case the tool will walk a directory in the format used by `provenance new` and `provenance next`, extract all the available provenance marks from within the `mark-*.json` files and validate them. - You can also provide *any* envelope-based UR that has a `'provenance': ProvenanceMark` assertion. This includes XID documents in the `ur:xid/...` format: ``` provenance validate ur:xid/... ur:xid/... ``` - Again: this works for *any* UR where the contained CBOR is an envelope (including `ur:envelope/...`) and the envelope contains a `'provenance': ProvenanceMark` assertion. - If the validation report returns any issues, the `validate` command will exit with a non-zero exit code indicating an error, unless the optional `--warn` flag is provided, in which case the `validate` operation will output the report and succeed. - A `--format <format>` option is provided with two possible values: `text` (the default), `json-compact`, and `json-pretty`. The JSON formats output the entire report structure, even for empty "uninteresting" reports, for the purpose of further machine processing. For more documentation and examples, see [Validating Marks](https://github.com/BlockchainCommons/provenance-mark-cli-rust?tab=readme-ov-file#validating-marks) in the `provenance-mark-cli` repo `README`. #### Future work - More flexible ways to extract and use generators independent of the directory structure. ## Featured Releases: November 12, 2025 ### bc-envelope-cli 0.27.0 - November 12, 2025 - Add XID provenance mark support ('xid provenance get' and 'xid provenance next' commands). - Add XID signing and verification support (`--sign` and `--verify` options). - Update XID documentation. - Align to dependencies. - [Crates.io](https://crates.io/crates/bc-envelope-cli/0.27.0) - [GitHub](https://github.com/BlockchainCommons/bc-envelope-cli-rust) ### provenance-mark-cli 0.6.0 - November 12, 2025 - Add validate subcommand for validating provenance mark chains. - Add `--quiet` and `--format` options to next subcommand. - Update documentation. - Align to dependencies. - [Crates.io](https://crates.io/crates/provenance-mark-cli/0.6.0) - [GitHub](https://github.com/BlockchainCommons/provenance-mark-cli-rust) ### hubert 0.3.0 - November 12, 2025 - Move `--storage`, `--host`, and `--port` options from global to Put/Get/Check commands. - Align to dependencies. - Format. - [Crates.io](https://crates.io/crates/hubert/0.3.0) - [GitHub](https://github.com/BlockchainCommons/hubert-rust) ### bc-xid 0.16.0 - November 12, 2025 - Align to dependencies. - Format. - Add provenance mark advancement methods. - Rename and consolidate signing and encryption options. - Add signature verification support. - [Crates.io](https://crates.io/crates/bc-xid/0.16.0) - [GitHub](https://github.com/BlockchainCommons/bc-xid-rust) ### provenance-mark 0.16.0 - November 12, 2025 - Add validation tools module with new public types. - Make crypto_utils and date modules public. - Move tests to separate folder. - Align to dependencies. - [Crates.io](https://crates.io/crates/provenance-mark/0.16.0) - [GitHub](https://github.com/BlockchainCommons/provenance-mark-rust) ## Other Releases ### gstp 0.11.0 - November 12, 2025 - Update to bc-xid 0.16.0 API. - Align to dependencies. - Format. - [Crates.io](https://crates.io/crates/gstp/0.11.0) - [GitHub](https://github.com/BlockchainCommons/gstp-rust) ### dcbor-cli 0.14.0 - November 12, 2025 - Align to dependencies. - [Crates.io](https://crates.io/crates/dcbor-cli/0.14.0) - [GitHub](https://github.com/BlockchainCommons/bc-dcbor-cli) ### bc-envelope-pattern 0.8.0 - November 12, 2025 - Align to dependencies. - Format. - [Crates.io](https://crates.io/crates/bc-envelope-pattern/0.8.0) - [GitHub](https://github.com/BlockchainCommons/bc-envelope-pattern-rust) ### dcbor-pattern 0.7.0 - November 12, 2025 - Update dependencies. - Modernize code to use let-chains. - Replace modulo operation with `is_multiple_of` method. - [Crates.io](https://crates.io/crates/dcbor-pattern/0.7.0) - [GitHub](https://github.com/BlockchainCommons/bc-dcbor-pattern-rust) ### dcbor-parse 0.7.0 - November 12, 2025 - Align to dependencies. - Use is_multiple_of. - [Crates.io](https://crates.io/crates/dcbor-parse/0.7.0) - [GitHub](https://github.com/BlockchainCommons/bc-dcbor-parse-rust) ### bc-envelope 0.37.0 - November 12, 2025 - Align to dependencies. - Format. - [Crates.io](https://crates.io/crates/bc-envelope/0.37.0) - [GitHub](https://github.com/BlockchainCommons/bc-envelope-rust) ### known-values 0.11.0 - November 12, 2025 - Align to dependencies. - [Crates.io](https://crates.io/crates/known-values/0.11.0) - [GitHub](https://github.com/BlockchainCommons/known-values-rust) ### bc-components 0.28.0 - November 12, 2025 - Align to dependencies. - Format. - [Crates.io](https://crates.io/crates/bc-components/0.28.0) - [GitHub](https://github.com/BlockchainCommons/bc-components-rust) ### sskr 0.11.0 - November 12, 2025 - Align to dependencies. - Format. - [Crates.io](https://crates.io/crates/sskr/0.11.0) - [GitHub](https://github.com/BlockchainCommons/bc-sskr-rust) ### bc-ur 0.16.0 - November 12, 2025 - Align to dependencies. - [Crates.io](https://crates.io/crates/bc-ur/0.16.0) - [GitHub](https://github.com/BlockchainCommons/bc-ur-rust) ### bc-tags 0.9.0 - November 12, 2025 - Align to dependencies. - [Crates.io](https://crates.io/crates/bc-tags/0.9.0) - [GitHub](https://github.com/BlockchainCommons/bc-tags-rust) ### dcbor 0.23.3 - November 12, 2025 - Format. - [Crates.io](https://crates.io/crates/dcbor/0.23.3) - [GitHub](https://github.com/BlockchainCommons/bc-dcbor-rust) ### bc-shamir 0.12.0 - November 12, 2025 - Align to dependencies. - Format. - [Crates.io](https://crates.io/crates/bc-shamir/0.12.0) - [GitHub](https://github.com/BlockchainCommons/bc-shamir-rust) ### bc-crypto 0.13.0 - November 12, 2025 - Align to dependencies. - [Crates.io](https://crates.io/crates/bc-crypto/0.13.0) - [GitHub](https://github.com/BlockchainCommons/bc-crypto-rust) ### bc-rand 0.4.2 - November 12, 2025 - Use is_multiple_of method. - [Crates.io](https://crates.io/crates/bc-rand/0.4.2) - [GitHub](https://github.com/BlockchainCommons/bc-rand-rust)