Hancock is a tool that proves and verifies the authenticity of files.

The source author produces testimony - a signed attestation - about the source.

Verifiers then confirm their copy is identical to the souce, using hancock verify to test the copy against the testimony.

Testimony includes robust hashes and signatures, to guarantee authenticity while not revealing details about the original source. Hancock treats all testimony as public information; currently using IPFS to distribute testimony and a public index service to look up IPFS content identifiers.

Testimony may be produced by third parties (not exclusively the source author). Each verifiers independently chooses which authorities they trust.

The name "hancock" comes from "John Hancock" - a slang term in the United States meaning a person's signature.

Copyright (C) 2019 David N. Cohen see source code for license (AGPL 3)


Hancock relies on IPFS to distribute data. Running your own IPFS node is strongly recommended. See http://ipfs.io .

For building hancock, install Go version 1.12 or higher. See https://golang.org/doc/install .

Build and Configure

go get src.d10.dev/hancock/cmd/...
cp ${GOPATH%:*}/src/src.d10.dev/hancock/cmd/hancock/example/hancock.cfg ~/.config/hancock/hancock.cfg

The file examples/hancock.cfg has a reasonable set of defaults. Review the comments in that file for more information. Copy the example to your ~/.config/hancock/ and make edits if needed.

General Usage as author

The hancock command expects optional flags and exactly one operation. Each operation may expect operation-specific flags or arguments.

hancock [command flags] operation [operation flags] [operation args]

Each operation produces output to stdout and expects input from stdin, in order to create a pipeline. For example:

hancock manifest /my/source/file | hancock-sign | hancock testimony

This pipeline construction is intended to isolate signing code from the code which produces and publishes data. Isolation, in this case, minimizes the amount of code which handles secrets, and allows signing to be performed on an isolated machine.

Operation manifest

Construct a manifest representing a source file with:

hancock manifest /path/to/source/file [...]

Output is JSON-encoded data about the source file(s), in the format expected by hancock-sign.

Operation testimony

Publish signed testimony to an index with:

hancock testimony

The operation expects as input the output of hancock-sign.

Operation verify

Check that a copy of source matches the signed testimony of a trusted authority.

hancock verify /path/to/source/copy [...]

Trusted authorities are identified by public key, under [authority] section of configuration file. For example, /home/user/.config/hancock/hancock.cfg might contain:

    d10 = ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEMLF+xyqVxGP9iK5UK/v/PFqGJbnmKZ6LRK3qmr8tEi

(values are in the format of "~/ssh/.authorized_keys")