Crate provenance_rs

A history-of-ownership protocol for securely proving where a document came from.

Provenance is a simple way for users, companies, or applications to say “yes, I made/edited/created this file”. This makes it easy to know if you can trust an image or document you see online: If it has provenance, then you know who had a hand in creating the document, but if it doesn’t have provenance, you should be suspicious and ask what the creator has to hide.

This rust crate provides the reference implementation for the provenance protocol.

Example

use provenance_rs::{sign, verify, Base64SigningKey};
use ed25519_dalek::SigningKey;

// In reality this would be the server of whomever you're delegating trust. An example
// server implementation (which is used for these tests) is available at
// https://github.com/beyarkay/provenance-server
let username = "beyarkay";
let url = format!("http://localhost:8000/provenance/{username}");
let doc = "Some document that I definitely wrote";
// In reality you'd get the server to generate a keypair for you and give you the (secret)
// signing key.
let base64_signing_key =
    Base64SigningKey("-5TaFC0xFOj_hf7mlvVaLKKpVFTaXUrLDzRqaaf7gFw=".to_string());
let signing_key: SigningKey = base64_signing_key.try_into().unwrap();

let signed_doc = sign(doc, signing_key, &url);

assert!(verify(&signed_doc).is_ok());

Why is this useful?

In this age of AI-generated content, provenance provides a solution to the question “Is this photo real, or AI?” by giving the creators of unbelievable images/videos the option to prove that they created the video. If an image or video does not have provenance information, then you should be suspicious.

How does this work?

Provenance is accomplished by cryptographically signing the file so that you can have proof that the signatory did indeed sign the file, and that the file wasn’t modified after being signed. This process is recursive: you can give provenance to a file that already has provenance, allowing for a history of provenance to be attached to a single file. For example: Joe Blogs took the photo, then PhotoShack.app edited the photo, then user joeblogs1999 uploaded the photo to instagran.com.

Needed:

• A way of listing the signatures on a doc
• A way of verifying a signature
• A way of signing a doc
• A way of getting signatory information from a doc

Structs

• Base64Signature
• Base64SigningKey
• Base64VerifyingKey
• KeyDetails
• SignerDetails
• SignerDetailsFromServer
• Username

Enums

• SigningMethod

Functions

• format_doc
• sign
• verify
  Verify that a given document has been signed, and return the signatories details.