Skip to content

Instantly share code, notes, and snippets.

@ChristopherA

ChristopherA/README.md

Last active March 20, 2026 23:54
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save ChristopherA/e2d59c62e3e50abe2595d74c0fd6f782 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save ChristopherA/e2d59c62e3e50abe2595d74c0fd6f782 to your computer and use it in GitHub Desktop.
Download ZIP
Open Integrity inception commit proof-of-concept — self-verifying code provenance for Git repositories
Raw
README.md
  • did: did:repo:423c9aee3c2cfd0d48ccacf645d3432b9b6bf2b2/blob/main/README.md
  • github: https://gist.github.com/ChristopherA/e2d59c62e3e50abe2595d74c0fd6f782
  • updated: 2026-03-20 by Christopher Allen <ChristopherA@LifeWithAlacrity.com>

Open Integrity Inception Commit — Gist Proof of Concept

This gist demonstrates that a GitHub Gist can carry a valid Open Integrity inception commit and that a script within the gist can verify its own provenance.

The Problem with curl | sh

Code distributed via curl | sh depends on transient trust: the hosting platform, the URL, and DNS. None of these are cryptographic. If any link in that chain is compromised, you run unverified code.

An Open Integrity inception commit addresses this by signing the repository's first commit with a key that is independently verifiable — registered on GitHub, published on a personal site, or both. Anyone can confirm that the code was authored by the claimed key holder, regardless of where the repository is hosted.

Platform-Independent Identity

The repository DID (did:repo:423c9ae...) is derived from the inception commit hash, not from any platform URL. Clone this gist, push it to GitLab, host it on your own server, or distribute it over IPFS — the same verification works everywhere. The inception commit travels with the repository because it is part of the repository.

This matters because:

  • Repositories maintain their cryptographic identity across platforms — cloning and rehosting does not break the chain of trust
  • Verification requires only Git and a network connection to the signing key's publication endpoint (GitHub API, personal website, keyserver)
  • Standard git verify-commit is sufficient — no proprietary tools or platform APIs needed
  • Platform failure or censorship does not invalidate the repository identity

Repository DID

did:repo:423c9aee3c2cfd0d48ccacf645d3432b9b6bf2b2

Verification

The included verify-gist.sh walks three phases of the Progressive Trust lifecycle:

  1. Wholeness — the inception commit is empty (no files), carries the required initialization message, and includes a Signed-off-by trailer
  2. Proofs — an SSH signature is present and, if allowed_signers is configured, cryptographically verified
  3. References — the signing key fingerprint is checked against GitHub's public SSH signing keys API to confirm it belongs to a registered account

Clone and Verify

git clone https://gist.github.com/e2d59c62e3e50abe2595d74c0fd6f782.git oi-gist-poc
cd oi-gist-poc
sh verify-gist.sh

Inspect the Script First (Pinned to a Signed Commit)

curl -fsSL https://gist.githubusercontent.com/ChristopherA/e2d59c62e3e50abe2595d74c0fd6f782/raw/9b4b13421356584112a028c1b13c6e3ee68c3f77/verify-gist.sh | less

Requirements: git, curl. Optional: jq (for structured GitHub API parsing), gh (for authenticated API access).

How This Was Made

GitHub's Gist API requires at least one file at creation time — there is no way to create a gist with an empty initial commit. To work around this:

  1. Created a gist via gh gist create with a placeholder file
  2. Cloned the gist as a standard Git repository
  3. Created an orphan branch with a signed, empty inception commit matching the Open Integrity specification
  4. Added verify-gist.sh as the second commit, signed with the same key
  5. Added this README.md as the third commit, also signed
  6. Force-pushed the rewritten history to replace the original

The signing key (SHA256:a61TkTtLFGEYOmdRMbpYGkZwXw2QUrGkAWp3dok8jcw) is an Ed25519 key registered on GitHub for @ChristopherA. Anyone can confirm the key's registration via that public API endpoint — no authentication required.

Limitations

  • Gist IDs are opaque: The gist identifier (e2d59c62e3e50abe2595d74c0fd6f782) is server-assigned and unrelated to the inception commit hash. The DID uses the commit hash.
  • Force-push required: The inception commit can only be inserted by rewriting history after gist creation. This is a one-time operation.
  • Web edits break the chain: Commits made through the GitHub Gist web editor are unsigned and use GitHub <noreply@github.com> as committer. Edits should be made locally and pushed with a signed commit.
  • No branch protection: Gists have no branch protection rules. Anyone with push access could rewrite history.

References

Raw
verify-gist.sh
#!/bin/sh
# verify-gist.sh — Self-verifying Open Integrity inception commit audit
#
# Verifies the Git repository this script lives in by walking three
# phases of the Progressive Trust lifecycle:
#
# Phase 2 (Wholeness): Inception commit is empty, message format
# matches the Open Integrity specification,
# Signed-off-by trailer is present.
#
# Phase 3 (Proofs): SSH signature is present. If an allowed_signers
# file is configured, the signature is verified
# cryptographically.
#
# Phase 4 (References): The signing key fingerprint is checked against
# GitHub's public SSH signing keys API to confirm
# it belongs to a registered account.
#
# The repository DID (did:repo:<hash>) is derived from the inception
# commit, not from any hosting platform. Verification works the same
# whether this repo is on GitHub, GitLab, or a personal server.
#
# Usage:
# git clone <repo-url> && cd <repo> && sh verify-gist.sh
#
# Requirements: git, curl. Optional: jq (structured API parsing)
#
# Progressive Trust lifecycle:
# https://developer.blockchaincommons.com/progressive-trust/
# Open Integrity Project:
# https://github.com/OpenIntegrityProject/core/
set -eu
# ---- Helpers ----
pass() { printf ' \033[32m✓\033[0m %s\n' "$1"; }
fail() { printf ' \033[31m✗\033[0m %s\n' "$1"; FAILURES=$((FAILURES + 1)); }
info() { printf ' \033[33m·\033[0m %s\n' "$1"; }
bold() { printf '\033[1m%s\033[0m\n' "$1"; }
FAILURES=0
# ---- Locate Repository ----
REPO_DIR="$(git rev-parse --show-toplevel 2>/dev/null)" || {
printf 'Error: not inside a Git repository.\n' >&2
exit 1
}
cd "$REPO_DIR"
bold ""
bold "Open Integrity Inception Commit — Verification"
bold "================================================"
printf '\n'
# ---- Phase 2: Wholeness ----
# Validate that foundational data is structurally sound and complete.
bold "Phase 2: Wholeness"
INCEPTION=$(git rev-list --max-parents=0 HEAD 2>/dev/null) || {
fail "No inception commit found"
exit 1
}
INCEPTION_SHORT=$(printf '%.7s' "$INCEPTION")
info "Inception commit: $INCEPTION"
info "Repository DID: did:repo:$INCEPTION"
TREE_HASH=$(git cat-file -p "$INCEPTION" | awk '/^tree / {print $2}')
EMPTY_TREE=$(git hash-object -t tree /dev/null)
if [ "$TREE_HASH" = "$EMPTY_TREE" ]; then
pass "Commit is empty (no files) — reduced SHA-1 collision surface"
else
fail "Commit is NOT empty — expected empty tree hash"
fi
COMMIT_MSG=$(git log "$INCEPTION" -1 --pretty=%B)
if printf '%s' "$COMMIT_MSG" | grep -q "Initialize repository and establish a SHA-1 root of trust"; then
pass "Initialization message present"
else
fail "Missing required initialization message"
fi
if printf '%s' "$COMMIT_MSG" | grep -q "^Signed-off-by: "; then
pass "Signed-off-by trailer present"
else
fail "Missing Signed-off-by trailer"
fi
printf '\n'
# ---- Phase 3: Proofs ----
# Verify cryptographic signatures.
bold "Phase 3: Proofs"
HAS_SIG=$(git cat-file -p "$INCEPTION" | grep -c "BEGIN SSH SIGNATURE" || true)
if [ "$HAS_SIG" -gt 0 ]; then
pass "SSH signature present"
else
fail "No SSH signature found"
fi
COMMITTER_NAME=$(git log "$INCEPTION" -1 --pretty=format:'%cn')
if printf '%s' "$COMMITTER_NAME" | grep -q "^SHA256:"; then
pass "Committer name is key fingerprint: $COMMITTER_NAME"
else
fail "Committer name is not a key fingerprint: $COMMITTER_NAME"
fi
SIGNERS_FILE=$(git config gpg.ssh.allowedSignersFile 2>/dev/null || true)
if [ -n "$SIGNERS_FILE" ] && [ -f "$SIGNERS_FILE" ]; then
if git verify-commit "$INCEPTION" >/dev/null 2>&1; then
pass "Signature cryptographically verified via allowed_signers"
else
fail "Signature verification failed"
fi
else
info "Local signature verification skipped (no allowed_signers configured)"
info "Configure: git config --global gpg.ssh.allowedSignersFile ~/.ssh/allowed_signers"
fi
printf '\n'
# ---- Phase 4: References ----
# Aggregate trust declarations from multiple sources.
bold "Phase 4: References"
COMMITTER_EMAIL=$(git log "$INCEPTION" -1 --pretty=format:'%ce')
info "Committer email: $COMMITTER_EMAIL"
GITHUB_USER=""
if command -v gh >/dev/null 2>&1; then
GITHUB_USER=$(gh api /user 2>/dev/null | grep -o '"login":[[:space:]]*"[^"]*"' | cut -d'"' -f4 || true)
fi
if [ -z "$GITHUB_USER" ]; then
GITHUB_USER=$(git config github.user 2>/dev/null || true)
fi
if [ -n "$GITHUB_USER" ]; then
info "Checking signing keys for @$GITHUB_USER on GitHub..."
GITHUB_KEYS_URL="https://api.github.com/users/$GITHUB_USER/ssh_signing_keys"
GITHUB_KEYS=$(curl -sf "$GITHUB_KEYS_URL" 2>/dev/null || true)
if [ -n "$GITHUB_KEYS" ]; then
COMMIT_KEY_DATA=$(git log "$INCEPTION" -1 --show-signature --pretty=format:'' 2>/dev/null || true)
COMMIT_KEY_FP=$(printf '%s' "$COMMIT_KEY_DATA" | grep -o "SHA256:[^ ]*" | head -1 || true)
if [ -n "$COMMIT_KEY_FP" ]; then
info "Signing key fingerprint: $COMMIT_KEY_FP"
MATCHED=0
if command -v jq >/dev/null 2>&1; then
KEY_COUNT=$(printf '%s' "$GITHUB_KEYS" | jq length)
i=0
while [ "$i" -lt "$KEY_COUNT" ]; do
GH_KEY=$(printf '%s' "$GITHUB_KEYS" | jq -r ".[$i].key")
GH_TITLE=$(printf '%s' "$GITHUB_KEYS" | jq -r ".[$i].title")
GH_FP=$(printf '%s' "$GH_KEY" | ssh-keygen -lf - 2>/dev/null | awk '{print $2}' || true)
if [ "$GH_FP" = "$COMMIT_KEY_FP" ]; then
MATCHED=1
pass "Key registered on GitHub as: $GH_TITLE"
info "Verified via: $GITHUB_KEYS_URL"
break
fi
i=$((i + 1))
done
else
if printf '%s' "$GITHUB_KEYS" | grep -q "$(printf '%s' "$COMMIT_KEY_FP" | sed 's/SHA256://')"; then
MATCHED=1
pass "Key found in GitHub signing keys for @$GITHUB_USER"
info "Verified via: $GITHUB_KEYS_URL"
fi
fi
if [ "$MATCHED" -eq 0 ]; then
fail "Key NOT found in GitHub signing keys for @$GITHUB_USER"
info "Fingerprint: $COMMIT_KEY_FP"
info "Check: $GITHUB_KEYS_URL"
fi
else
info "Could not extract fingerprint from signature"
info "Manual check: git verify-commit $INCEPTION_SHORT"
fi
else
fail "Could not fetch signing keys from $GITHUB_KEYS_URL"
fi
else
info "GitHub username not detected — skipping key verification"
info "Set with: git config --global github.user YOUR_USERNAME"
info "Or install gh CLI: https://cli.github.com/"
fi
printf '\n'
# ---- Summary ----
bold "Summary"
info "Repository DID: did:repo:$INCEPTION"
info "Inception commit: $INCEPTION"
info "Signing key: $COMMITTER_NAME"
printf '\n'
if [ "$FAILURES" -eq 0 ]; then
bold "All checks passed."
printf '\n'
info "This repository has a valid Open Integrity inception commit."
info "The signing key is bound to the repository identity and"
info "registered on GitHub, establishing verifiable provenance."
printf '\n'
info "The DID (did:repo:$INCEPTION_SHORT...) is derived from the"
info "inception commit hash — not from any platform URL. The same"
info "verification works on any Git-compatible host."
else
printf ' \033[31m%d check(s) failed.\033[0m\n' "$FAILURES"
fi
printf '\n'
exit "$FAILURES"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment