Every artifact in this repository is anchored to Bitcoin.
Verify any .proof file at verify-anchoring.org.
On every push to main, the workflow:
- Creates a build artifact
- Anchors it to Bitcoin via
anchor-action - Uploads the
.prooffile as a build artifact - Commits lightweight proof (
certificate.json+proof.ots) to/proofs
The proof is independently verifiable. No account, no vendor, no trust required.
- Fork this repo
- Add
UMARISE_API_KEYto your repo secrets (Settings → Secrets → Actions) - Push a commit
- Check the Actions tab — download the
.proofartifact
Get a free API key (100 anchors, no credit card): umarise.com/developers
Pick the template that matches your stack:
| Template | Stack | What it anchors |
|---|---|---|
anchor.yml |
Any (default) | Deterministic repo snapshot |
anchor-python.yml |
Python | Test suite → build → anchor |
anchor-node.yml |
Node.js | npm test → build → anchor |
anchor-docker.yml |
Docker | Container image → anchor |
```yaml
-
name: Create deterministic build artifact run: | tar --sort=name --mtime='UTC 1970-01-01'
--owner=0 --group=0 --numeric-owner
--exclude='.git' --exclude='proofs'
-cf build.tar . gzip -n -f build.tar -
name: Anchor to Bitcoin uses: AnchoringTrust/anchor-action@v1 with: file: build.tar.gz env: UMARISE_API_KEY: ${{ secrets.UMARISE_API_KEY }} ```
```yaml
-
run: pip install -r requirements.txt
-
run: pytest
-
name: Build run: python -m build
-
name: Anchor to Bitcoin uses: AnchoringTrust/anchor-action@v1 with: file: dist/*.tar.gz env: UMARISE_API_KEY: ${{ secrets.UMARISE_API_KEY }} ```
```yaml
-
run: npm ci
-
run: npm test
-
name: Build run: npm run build && tar czf build.tar.gz dist/
-
name: Anchor to Bitcoin uses: AnchoringTrust/anchor-action@v1 with: file: build.tar.gz env: UMARISE_API_KEY: ${{ secrets.UMARISE_API_KEY }} ```
```yaml
-
name: Build image run: docker build -t myapp:${{ github.sha }} .
-
name: Save image run: docker save myapp:${{ github.sha }} | gzip > image.tar.gz
-
name: Anchor to Bitcoin uses: AnchoringTrust/anchor-action@v1 with: file: image.tar.gz env: UMARISE_API_KEY: ${{ secrets.UMARISE_API_KEY }} ```
No account needed. No trust required.
```bash npx @umarise/cli verify --origin-id <origin_id>
pip install umarise && umarise verify --origin-id <origin_id>
https://verify-anchoring.org → HASH + OTS tab
./verify.sh proofs/abc1234.proof/ ```
See verify.sh for the full independent verification script.
| Layer | Tool | Proves |
|---|---|---|
| Code signing | GPG / Sigstore | Who signed it |
| SBOM | Syft / Trivy | What is in it |
| Anchoring | Umarise | When it existed |
A .proof file next to a .sig and .sbom completes the audit trail: what, who, and when.
Each proof consists of two files (~4KB total):
``` proofs/ ├── abc1234.json ← metadata (origin_id, hash, status) └── abc1234.proof/ ├── certificate.json ← hash, origin_id, timestamp └── proof.ots ← OpenTimestamps Bitcoin proof (binary) ```
| File | What it contains | How to verify |
|---|---|---|
certificate.json |
Hash, origin_id, timestamp | Compare hash against reproduced artifact |
proof.ots |
Merkle path → Bitcoin block | ots verify proof.ots or verify-anchoring.org |
The original artifact is not stored — it's reproducible from the git commit via deterministic hashing.
- Source code never leaves the runner — only the 64-byte SHA-256 hash is transmitted
- Pin the action for production:
AnchoringTrust/anchor-action@<commit-sha> - Proof is tamper-evident — modifying
proof.otsinvalidates the Bitcoin verification
| Scenario | Credits |
|---|---|
| First push (new hash) | 1 |
| Re-run same commit | 0 |
| New commit (code changed) | 1 |
Deterministic hashing ensures re-runs are free.
- GitHub Marketplace — Umarise Anchor
- Independent verifier — verify-anchoring.org
- Open specification — anchoring-spec.org
- CLI — @umarise/cli
- API docs — umarise.com/developers
Unlicense — Public Domain