Hancock is a tool that proves and verifies the authenticity of files.
The source author produces testimony - a signed attestation - about the source.
Verifiers then confirm their copy is identical to the souce, using
verify to test the copy against the testimony.
Testimony may be produced by third parties (not exclusively the source author). Each verifier independently chooses which authorities they trust.
Testimony is based on a robust hash of source data, in order to guarantee authenticity while not revealing the original source. Hancock treats all testimony as public information; although the implementation is currently limited to finding testimony locally, the ability to store and retrieve testimony from a distributed network of servers is under development.
The name "hancock" comes from "John Hancock" - a slang term in the United States meaning a person's signature.
Copyright (C) 2019, 2020 David N. Cohen see source code for license (AGPL 3)
go get src.d10.dev/hancock/cmd/...
General Usage As Author of Source Code
The hancock command expects optional flags and exactly one operation. Each operation may expect operation-specific flags or arguments.
hancock [command flags] operation [operation flags] [operation args]
Each operation produces output to stdout and expects input from stdin, in order to create a pipeline. For example:
hancock manifest /my/source/file | hancock-sign | hancock testimony
This pipeline construction is allows the signing tool be run in a secure environment, isolated from the tool which publishes data. Isolation, in this case, minimizes the amount of code which handles secrets, and allows signing to be performed on an seperate machine.
Construct a manifest representing a source file with:
hancock manifest /path/to/source/file [...]
Output is JSON-encoded data about the source file(s), in the format expected
Publish signed testimony to an index with:
This operation published the files produced by
Produce signed testimony with:
This operation expects as input the output of
hancock-sign. Testimony is
saved locally, or optionally published to an index.
Check that a copy of source matches the signed testimony of a trusted authority.
hancock verify /path/to/source/copy [...]
Trusted authorities are identified by public key, under [authority] section of configuration file. For example, /home/user/.config/hancock/hancock.cfg might contain:
[authority] d10 = ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEMLF+xyqVxGP9iK5UK/v/PFqGJbnmKZ6LRK3qmr8tEi
(values are in the format of "~/ssh/.authorized_keys")