Content Attestation
Cryptographic proof that a piece of work existed at a certain moment — and that it has not been altered since.
The BLACKBOX/AC82 experiment seeks to investigate infrastructure for a global cultural commons. Attestation is one small but essential piece of that puzzle — a way to establish provenance and integrity without resorting to exclusive rights, gatekeepers, or commercial platforms.
When does attestation matter?
Scholarship cares deeply about provenance, integrity, and chronological precedence. But in the digital world, those things are fragile in ways we don’t always account for. A few everyday situations where this might matter:
- A historian posts a working paper arguing for a new interpretation of a medieval chronicle. She circulates it on her personal site, on a mailing list, and perhaps deposits it in a repository. Years later, a similar argument appears in a prominent journal. She can point to her website, but the date on a web page is easily faked or challenged; the server logs belong to a service that might not exist in ten years. Attestation would give her a portable, cryptographic proof that the exact text she wrote existed at a specific time, signed by her. The evidence is self‑contained; it doesn’t require a live server to verify, so it remains checkable for as long as the attestation record and the file exist.
- A literature scholar quotes a passage from a colleague’s preprint that was published under a Creative Commons license. Later, the original text is quietly altered on the author’s website to soften a controversial claim. Without attestation, there is no way for the quoting scholar to prove that her citation matches the original version. With an attestation, the original author’s signature on the first version acts as a tamper‑evident seal — the text can evolve, but the version that was quoted remains independently verifiable.
- Generative models make it trivial to produce convincing but unattributed content. A political deepfake or a fake scientific dataset can be shared widely with no way to trace its origin. Conversely, a researcher who uses AI as a tool may want to certify that they stand behind the final output. Attestation allows a creator (human or organisation) to sign their work at the moment of creation. Even if the content is later altered or misattributed, the original signature provides a verifiable chain of custody. In a world of synthetic media, the presence—or absence—of a signature becomes a critical signal.
- Works contributed to a cultural commons are shared not to sell access but to distribute knowledge without gatekeepers. Yet a commons still needs a way to say: “This contribution was made by this person, at this time, and it hasn’t been corrupted.” Cryptographic attestation is a minimal, non-commercial certificate of origin and integrity. It allows works to circulate freely while retaining a verifiable link to the person who made them.
- Digital materials deserve to outlast any single institution. A community archive of oral histories might be hosted on a university server. If the server is replaced, or the funding ends, the files may be lost or silently altered. A set of signed file fingerprints (hashes) stored on a public, permissionless network like IPFS would let anyone who holds a copy of those files verify that they are still genuine, even decades later — no maintenance required by the original host.
Despite their different contexts, these scenarios share a common constraint: none of them can rely solely on a central authority to vouch for authenticity over time. The solution, however, is remarkably simple and entirely open. A creator generates a short digital fingerprint (hash) of the file, signs it with their private key, and stores that signature somewhere public and permanent. Anyone who later encounters a copy of the file can recompute the hash and check it against the signature. A match verifies that this exact file existed when it was signed, and that it hasn't been tampered with.
How it works
Think of it as a modern‑day notary seal: a cryptographic proof that anyone can generate and verify independently.
1. Create a fingerprint
A computer runs a mathematical function over the file. Any file works: a drafted essay, a photograph of a manuscript, a PDF of a thesis. The output is a short, unique string called a hash. If even a single punctuation mark changes, the hash becomes completely different.
2. Sign the fingerprint
Using a cryptographic key (stored in a browser wallet or hardware device), the creator signs the hash. This signature can only be produced by the holder of that specific private key.
3. Publish the signature
The signature—which cryptographically contains the hash within it—is published to a public, append‑only record: an IPFS entry, a blockchain transaction, or a dedicated attestation log (such as the one powering this site). No permission is required. The record exists independently of any single repository or website.
4. Verify
Someone who holds a copy of the file recomputes its hash. They fetch the public signature, extract the signed hash using the creator's public key, and compare the two. If they match, the file is exactly the one that was signed. The verification is offline‑compatible; it works as long as the file and the signature record are available.
Try it — attest a piece of text, then verify it
🔹 Step A – Write or paste any text (a paragraph from an essay, a poem fragment, a string of fieldnotes — anything)
🔹 Step B – Sign it (computes the hash and, if you have MetaMask, asks you to sign)
🔹 Step C – Verify any text against the stored signature
💡 How it works: When you sign, the hash of your text is stored locally. Verification recomputes the hash of the text you enter and compares it to the stored hash. If they match, the signature is still valid. If you change even one character, the hash changes and verification fails.
🔐 If you use MetaMask, the signature also proves that you (the wallet holder) signed it. Without MetaMask, this demo simulates that – but the core integrity check (hash matching) is real.
→ For the working on‑chain version (and its current limitations), see the Site Integrity Heartbeat.
Scaling up: a commons oriented attestation service
A research community, scholarly society, or public knowledge project could run a minimal service that:
- Accepts uploads of preprints, essays, datasets, or review reports.
- Computes the hash and invites the author to sign it (using a personal wallet or a key linked to their ORCID).
- Stores the signed hash on IPFS and optionally anchors it on a low‑cost blockchain for an immutable timestamp.
- Gives the author a permanent link, and offers a “verify” button that anyone can use to check a file against the attestation — no login, no institutional affiliation required.
Such a service would add a thin, resilient layer of proof that belongs to the commons itself.
A note on infrastructure & what’s coming next
Cryptographic attestation is an active, rapidly evolving space. Standards like C2PA (Coalition for Content Provenance and Authenticity) are being adopted by camera manufacturers, software companies, and news organisations. At the same time, web3 infrastructure — public blockchains, IPFS, and self‑sovereign identity — offers a permissionless, decentralised foundation for attestation that doesn’t depend on any single company or government. A signature stored on Ethereum or Arweave can outlive its creator and remain verifiable for decades.
Cameras that sign images cryptographically are already plausible and emerging. Imagine a professional camera (or even a smartphone) that generates a key pair at manufacture. Each photo’s hash is signed immediately inside the camera’s secure hardware, producing a verifiable “proof of capture” that includes timestamp, location (if desired), and a guarantee that the image hasn’t been manipulated after the shutter clicked. Journalists, activists, and scientists could publish signed images directly to the commons. Audiences would verify authenticity with a single click — no trust in a third‑party platform required. Early implementations exist (e.g., Sony’s camera authenticity solution, and Pinata's Signets app). A widely adopted, commons oriented registry for those signatures does not yet exist. Most current solutions rely on corporate‑controlled certificate authorities or are tied to specific blockchains with access barriers. Building an open, permissionless, and low cost registry – one that any camera or creator can use, and anyone can verify without a subscription – remains an open challenge.
• C2PA – Coalition for Content Provenance and Authenticity
• How to build an app that signs & verifies content
• Ethereum Attestation Service (EAS) – a flexible on‑chain attestation protocol
• IPFS – InterPlanetary File System – persistent, content‑addressed storage
From demo to a live experiment
The demo above walks through the concepts of hashing and signing, but runs off-chain in your browser and leaves no permanent public record. For an on-chain implementation I’ve set up a separate page: the Site Integrity Heartbeat.