Content Provenance

Build provenance and verification for the LinnemanLabs content bundle

Provenance for the content bundle currently being served - source information, build tooling with checksums, and file inventory. The content bundle is a signed artifact containing all static HTML, CSS, JavaScript, and assets generated by Hugo. The server verifies bundle integrity at load time before serving any content.

Source: linnemanlabs-site on GitHub

tl;dr · what verifies today
content
verify --bundle content --summary
content hash sha384 · verified at load
kms signature pending
keyless signature fulcio · pending
transparency log rekor #pending, #
timestamp rfc3161 · pending
integrity verified at
trust attestation

The server recomputes the bundle's sha384 at load and refuses to serve on mismatch. Each bundle is also dual-signed at build time - an AWS KMS key plus a keyless Fulcio certificate - and each signature is independently logged to Rekor and RFC 3161 timestamped, all rooted in the self-hosted stack at trust.linnemanlabs.com.

verified by sha384 recomputation at load
content digest
identity
version
type
built
files · size ·
content id
schema
commit
build
actor
system
build run #
builder identity
host
user
build time
commit date
source → build → artifact
source
@
build
· run #
artifact
content bundle
evidence ledger
content evidence - tooling checksums, file inventory, runtime, raw manifest for auditors
build tooling
toolroleversionsha-256
Hugostatic site generator
HTML Tidyhtml validation
Gitversion control
Bashbuild shell
file inventory
show all files
transparency · keyless
rekor origin
rekor log id
rekor log index
rekor tree size
rekor root hash
entry kind
entry version
ct log id
ct log timestamp
ct log hash algo
tsa imprint algo
tsa imprint hash
tsa serial
tsa policy oid
show rekor inclusion proof
show signed checkpoint + raw TSR
rekor signed checkpoint
RFC 3161 TimeStampResp · DER · base64
transparency · kms
rekor origin
rekor log id
rekor log index
rekor tree size
rekor root hash
entry kind
entry version
tsa imprint algo
tsa imprint hash
tsa serial
tsa policy oid
show rekor inclusion proof
show signed checkpoint + raw TSR
rekor signed checkpoint
RFC 3161 TimeStampResp · DER · base64
runtime
source
loaded at
server time
runtime hash
raw manifest
show provenance.json