Open Integrity Project

• did: did:repo:69c8659959f1a6aa281bdc1b8653b381e741b3f6/blob/main/README.md
• github: https://github.com/OpenIntegrityProject/core/blob/main/README.md
• updated: 2025-03-04 by Christopher Allen [email protected]

📖 Introduction

Cryptographic Roots of Trust for Open Source Development

Open Integrity is an initiative by Blockchain Commons to integrate cryptographic trust mechanisms into Git repositories. By leveraging Git's native SSH signing capabilities and structured verification processes, we ensure transparency, provenance, and immutability for software projects.

Whether you're a developer, security researcher, or open-source maintainer, Open Integrity provides the tools to:

• Provide a developer-friendly framework for cryptographic integrity.
• Establish verifiable proof-of-origin for commits and code artifacts through direct verification by inception key holder.
• Expand that proof-of-origin through a chain of trust that allows delegated verification of authorized signers.
• Detect tampering or unauthorized modifications in repository history.
• Enable cross-platform trust verification across Git hosting services

🎯 Project Goals

• 🛡 Immutable Proof-of-Origin – Verify the authenticity of software artifacts
• 🔏 Signed Commits & Tags – Ensure authorship integrity through SSH signatures (~128-bit security).
• 🔍 Tamper Detection – Maintain verifiable repository history.
• 🔗 Trust Delegation – Enable controlled transition from inception key to authorized signers.
• 🌍 Platform-Agnostic Validation – Work across GitHub, GitLab, and self-hosted solutions.

🔑 Key Features

• Inception Commits – Immutable starting points that combine:
  • Empty commit for SHA-1 collision resistance
  • Ricardian Contract defining trust rules
  • SSH signature providing strong cryptographic proofs
• Trust Models:
  • Direct inception key verification
  • Delegated verification through authorized signers
• Automated Tamper Detection – Integrity checks throughout history
• Audit Tools – Comprehensive repository inspection
• Cross-Platform Trust – GitHub, GitLab, P2P, or self-hosted support

📚 Documentation Organization

This repository contains the core implementation and documentation for the Open Integrity Project, offering both conceptual guidance and practical tools for establishing and maintaining cryptographic trust using Git repositories.

📁 Core Documentation

• 📜 Problem Statement – Challenges & solutions for cryptographic roots of trust using Git repositories
• 📟 Script Snippets – Practical command-line shortcuts for Open Integrity
• 📂 Repository Structure – Open Integrity repository structure reference
• 🛣️ Project Roadmap – Development milestones and plans
• 🤝 Contributing Guidelines – How to contribute
• 🔒 Security Policy – Reporting vulnerabilities

📌 Project Resources

• 📖 Documentation Website
• 💬 Community Discussions
• ❗ Initial Issue Tracker

📝 Planned Resources

• 🚀 [Getting Started Guide] – Step-by-step guide to set up your first Open Integrity repository
• 🏛 [Architecture Documentation] – System design & implementation details

🛠 Core Implementation

• ⚙️ Source Code – Essential Open Integrity Project tools & automation scripts
• 📜 Requirements – Requirements documents for Open Integrity Project scripts
• ❗ Issues – Tracks known issues and planned improvements
• 🔎 Tests – Comprehensive regression tests
• 🤖 Main Scripts – Implementation of Open Integrity functionality:
  • 🔍 audit_inception_commit-POC.sh - Audit repositories for compliance
  • 🏗️ create_inception_commit.sh - Create repositories with inception commits
  • 🪪 get_repo_did.sh - Retrieve repository DIDs

🚀 Quick Start

Get started with Open Integrity by:

1. Set up your development environment for signing
2. Create a repository with an inception commit establishing your root of trust
3. Choose your trust model:
   • Direct verification using the inception key
   • OR delegated verification through authorized signers
4. Run Open Integrity audits on your repositories

# Example: Create a repository with a signed inception commit
./src/create_inception_commit.sh -r my_new_repo

# Example: Audit a repository's inception commit
./src/audit_inception_commit-POC.sh -C /path/to/repo

# Example: Get a repository's DID
./src/get_repo_did.sh -C /path/to/repo

For a deeper dive, check out our Problem Statement and documentation.

🚦 Project Status & Roadmap

Current Phase: Early Research & Proof-of-Concept (v0.1.0)

🔹 Core concepts & initial implementation complete 🔹 Seeking community feedback for improvements 🔹 Developing integration with CI/CD & key management solutions 🔹 Not yet production-ready

📍 See our ROADMAP.md for detailed development plans and our Development Phases for general approach.

❗ Issue Management

We track issues in two complementary ways:

1. Repository-specific issues are tracked directly in the src/issues/ directory with detailed context and proposed solutions.

2. General project issues start in GitHub's 💬 Community Discussions to encourage open dialogue before they are moved to our ❗ Initial Issue Tracker.

This dual approach aligns with our commitment to decentralized repository management, allowing issues to be tracked both in version control and across multiple Git hosting platforms, ensuring greater resilience and accessibility beyond any single platform.

🌟 Support the Open Integrity Project

• ⭐ Star our repositories to show support
• 📢 Sharing your discoveries with your network
• 💬 Ask a question or engage in discussions in our Community Discussions
• ✍️ Report an issue in our Initial Issue Tracker
• 🔎 Find Good First Issues to get started
• 💰 Become a financial patron to our host Blockchain Commons via GitHub Sponsors

For commercial support, visit: Blockchain Commons Support.

🤝 How to Contribute

We welcome contributions from developers, researchers, and security experts!

1. Read our Contributing Guide
2. Fork the repository & create a feature branch
3. Implement your feature or fix
4. Digitally sign all your commits with an SSH signing key (gitc commit -S) and attribute authorship (git commit --signoff).
5. Submit a Pull Request for review

All contributors must adhere to our Code of Conduct.

👨‍💻 Lead Developer

Christopher Allen (@ChristopherA), <[email protected]/>

For a full list of contributors, see CONTRIBUTORS.md.

🕵️ Security & Trust

Ensuring security is a top priority for the Open Integrity Project. If you discover a security vulnerability, please report it responsibly:

• Email: [email protected]
• GPG Encrypted Reports: See SECURITY.md for responsible disclosure guidelines

👥 Security Contacts

Name	Email	GPG Fingerprint
Christopher Allen	[email protected]	FDFE 14A5 4ECB 30FC 5D22 74EF F8D3 6C91 3574 05ED

📞 Contact & Support

• Security Issues: [email protected]
• General Questions: Community Discussions
• Bug Reports: Initial Issue Tracker

📜 Copyright & License

Unless otherwise noted, all files are ©2025 Open Integrity Project / Blockchain Commons LLC., and licensed under the BSD 2-Clause Pluse Patent License – See LICENSE for details.

🌍 About Us

The Open Integrity Project is an Open Development initiative hosted by Blockchain Commons, dedicated to advancing open, interoperable, secure & compassionate digital infrastructure, and embracing the Gordian Principles of independence, privacy, resilience, and openness.