Using TimestampIt! to create Trusted Timestamps for a git repository

Creating a signed Trusted Timestamp for a git repo is a powerful way to prove when your code was created and protect your code inventions.

Official GitHub Action

For users of GitHub, the most convenient way to create these Trusted Timestamps in your repo is to use our official GitHub Action. We recommend visiting that link and following the directions in there to setup a GitHub Action workflow in your repo.

You can see a simple example of it in action in our demo repo.

Hashing a git repository

A git repo is simply a set of files in a directory. Trusted Timestamps are created using a single hash digest.
In order to create a single hash digest for a set of files one must hash all the files in the collection and then create hash of all the file hashes. There is no official method to do this and there are several methods that will work.

What is most important is that the exact same method for hashing your repo is used for both creating the Trusted Timestamp and for verifying the Trusted Timestamp.

The bash command used in our GitHub Action for hashing a repo is:

git ls-tree --full-tree -r --name-only HEAD | sort | xargs shasum -a 256 | shasum -a 256 | awk '{print $1}'

Creating the Trusted Timestamp

When creating the Trusted Timestamp, the ext field can be used to contain the information needed to verify the Trusted Timestamp in the future. It should note several pieces of information including git repo name/location and the git commit sha that was hashed.

In our GitHub Action this information is serialized in JSON like:

{"repo": "https://github.com/user_or_org/repo_name", "sha": "aae4b3ff6b26a38e1fe352103b88e60231d7d846"}

With the repo hash digest and an ext field containing the info needed to verify, you can create the Trusted Timestamp using your preferred method. See our /create API documentation.