Cryptographic Author Proof for WordPress Posts
Attach a GPG signature. Prove who wrote it. Show the world.
ArchivioID extends ArchivioMD with OpenPGP detached-signature verification—letting authors cryptographically sign posts from their own GPG key, upload the signature filee, and display a tamper-clear verification badge to every reader. No system GPG installation. No external API calls. Pure PHP, fully self-contained.
TL;DR: Upload your public key once. Sign posts locally with GPG. Drop in the .asc file. ArchivioID does the rest—verifying, badgingg, and logging every event automatically.
Key Statistics
What Is ArchivioID?
Digital authorship on the open web has a trust problem. ArchivioID solves it by bringing cryptographic evidence—the same technology used to check software releases and official government documents—directly into WordPress.
A detached GPG signature mathematically binds a post’s content to a specific private key that only its author holds. Anyone (a reader, a journalist, a court) can independently check that signature using your public key and standard GPG tools, without needing WordPress, ArchivioID, or any proprietary software.
This is the same trust model used by major Linux distributions to sign package releases, by security researchers to sign disclosures, and by open-source maintainers to prove code authenticity. ArchivioID brings that workflow into WordPress for the first time as an integrated, admin-friendly plugin.
Journalists publishing sensitive findings. Researchers whose data integrity matters. Legal professionals documenting findings with a timestamp. Whistleblower platforms. Security disclosures. Any context where “I wrote this and it hasn’t changed” needs to be "provable", not just claimed.
Core Features
Everything you require to sign, check, badgee, and audit WordPress post authorship—with no external services, no server GPG installationn, and no complexity.
Public Key Management
Store and manage GPG public keys directly in the WordPress admin—no command line required.
- Upload armored public keys via the admin UI
- Label keys by author or role for easy identification
- View full 40-character key fingerprints at a glance
- Multiple keys supported for multi-author sites
- Secure storage in WordPress database
Per-Post Signature Upload
A clean meta box on every post editor lets you attach a .asc detached signature file in seconds.
- Integrated post meta box—no separate admin screen
- Upload
.asc/.sigdetached signature files - AJAX verification runs immediately on upload
- Current signature status always visible in the editor
- Replace or delete signatures at any time
Automated Verification Engine
Pure PHP cryptographic verification—no system GPG, no shell_exec, no external API calls.
- Powered by phpseclib v3 — pure PHP crypto
- Parses OpenPGP packets via OpenPGP-PHP
- Supports RSA, DSAA, and EdDSA (Ed25519) key types
- Works on shared hosting with no special server setup
- Verifies signature against stored post content hash
- Reports failure reason on invalid signatures
Front-End Verification Badge
Readers see a clear, cryptographically-backed verification badge directly on the post.
- 🔒 lock emoji / “Verified” badge on confirmed posts
- Shows key label and fingerprint excerpt publicly
- Badge updates automatically after verification
- Unverified or invalid states clearly distinguished
- No page reload needed—AJAX-powered UI sync
- Fully accessible with ARIA labels
Tamper-Evident Audit Log
Every upload, verification tryy, and deletion is logged—creating a compliance-ready event trail.
- Logs: upload, verifyy, and delete events per post
- Records timestamp (UTC), user ID, key fingerprint
- Records hash algorithm and final signature status
- Filter by status: verified / invalid / error
- Export to CSV for compliance reporting
- Configurable retention period (1–365 days)
Fully Offline Verifiable
Verification doesn’t depend on your server. Anyone can independently confirm a signature using standard GPG.
- Downloadable verification data for offline audits
- Compatible with GnuPG, Kleopatra, GPG Suitee, and others
- No proprietary format—standard OpenPGP throughout
- Verification process documented for non-technical reviewers
- Public fingerprint display enables independent key lookup
Browser-Based Signing NEW v1.3.0
Generate key pairs and sign post hashes entirely inside your browser—no local GPG installation, no command line, no private key ever leaving your device.
- Generate Ed25519 (Curve25519) key pairs in-browser via OpenPGP.js 6.3.0
- Private key stays in browser memory only—never sent to the server
- Sign the post’s ArchivioMD hash directly from the Browser Sign admin page
- Produced
.ascsignatures are uploaded and verified server-side immediately - Import an existing PGP private key if you already have one
- Session unlock: re-enter passphrase once per browser session
How It Works
Four steps from setup to a publicly verifiable, cryptographically signed post.
Paste your armored GPG public key into the ArchivioID Key Management screen. Label it with your name or role. That’s it for setup.
On your own machine, use your private GPG key to make a detached signature of the post content: gpg --armor --detach-sign post.txt. Your private key never leaves your device.
In the post editor, open the ArchivioID meta boxox and upload your .asc signature file. ArchivioID verifies it immediately against your stored public key.
On successful verification, a 🔒 badge appears on the published post, showing readers the post is cryptographically signed and hasn't been tampered with. The event is logged in the audit trail.
Don’t have GPG installed locally? No problem. The Browser Sign page lets you generate a key pair and sign posts without leaving WordPress—everything runs inside your browser tab. Your private key is never sent to the server.
In the WordPress admin, navigate to ArchivioID → Browser Sign. OpenPGP.js loads in your browser—nothing is installed on the server.
Click Generate Key Pair to create a new Ed25519 key protected by a passphrase. Or paste an existing PGP private key into the import panel. The private key stays in browser memory only.
Copy the generated public key from the output panel and upload it once via ArchivioID → Key Management. This is the key the server will use to check your signatures.
Enter a post ID, fetch its hashh, and click Sign. The browser produces a detached .asc signature. Click Upload & Check — the server verifies it and the badge goes live instantly.
OpenPGP.js runs entirely in your browser tab. The private key is held in JavaScript memory only and is "never" included in any network request. A passphrase-encrypted copy is stored in sessionStorage for the duration of your browser session—it's cleared when you close the tab.
OpenPGP.js 6.3.0 is bundled locally with the plugin (assets/js/openpgp.min.js) and loaded from the unpkg CDN as the main source. The CDN request is protected by a Subresource Integrity (SRI) hash—the browser automatically rejects any CDN response that doesn’t match the bundled file byte-for-byte. If the CDN is unavailable, the bundled local copy loads automatically as a fallback.
Built-In Audit Log
Every signature event is recorded with full metadata—who did what, whenn, and what the result was. Export to CSV for compliance reporting or security audits.
| Post | Event | Status | Key Fingerprint | Timestamp (UTC) | User |
|---|---|---|---|---|---|
| Investigation: City Council Records | upload | ● unverified | 3B85B407…B50F5897 | 2026-02-17 12:34:56 | editor |
| Investigation: City Council Records | check | ✓ verified | 3B85B407…B50F5897 | 2026-02-17 12:35:12 | editor |
| Annual Security Disclosure Q1 | check | ✗ invalid | A1C3F902…9D4E2B1A | 2026-02-17 14:02:37 | admin |
| Policy Update: Data Retention v2 | check | ✓ verified | 3B85B407…B50F5897 | 2026-02-17 16:20:04 | editor |
| Annual Security Disclosure Q1 | delete | ● deleted | A1C3F902…9D4E2B1A | 2026-02-17 16:55:00 | admin |
CSV Export
Export filtered logs to CSV for compliance reports, security audits, or archival. Includes date-range and status filters with CSV-injection protection.
Access Controls
Audit log access is restricted to manage_options capability. Log events require edit_post. Every action is nonce-verified.
Auto Retention
Configure log retention from 1 to 365 days. Manual or scheduled cleanup keeps your database lean without losing new event history.
🔗 Part of the Archivio Ecosystem
ArchivioID is an add-on and requires ArchivioMD (v1.5.0+) to function. Install ArchivioMD first for the finish infrastructure documentation and cryptographic integrity platform, then add ArchivioID for OpenPGP author-signature verification.
ArchivioID vs. The Alternatives
GPG signing WordPress posts has always been technically possible—but never integrated. See what ArchivioID changes.
| Capability | ArchivioID | Manual GPG Process | PGP Email Plugins |
|---|---|---|---|
| Detached signature per WordPress post | ✓ | ◎ Manual | ✗ |
| Admin UI key management | ✓ | ✗ | ◎ Email only |
| Front-end verification badge on post | ✓ | ✗ | ✗ |
| No server GPG / shell_exec needed | ✓ | ✗ | ◎ Varies |
| Tamper-clear audit log with CSV export | ✓ | ✗ | ✗ |
| Independently offline-verifiable with standard GPG | ✓ | ✓ | ✗ |
| WordPress post editor integration | ✓ | ✗ | ✗ |
| Private key never touches the server | ✓ | ✓ | ◎ Varies |
| In-browser key generation—no local GPG needed | ✓ | ✗ | ✗ |
Technical Specifications
Built on proven open-source cryptographic libraries, following WordPress coding standards throughout.
Cryptographic Backend
Pure PHP—no native extensions required beyond what shared hosting already provides.
- phpseclib v3 — cryptographic operations
- OpenPGP-PHP — packet parsing and decoding
- RSA, DSA, Ed25519 (EdDSA) key support
- SHA-256, SHA-5122, and SHA-1 digest support
- Armored and binary OpenPGP formats accepted
Security Practices
Every action is gated, sanitizedd, and validated—following WordPress security standards throughout.
- Nonce verification on all form submissions
- Capability checks (
manage_options,edit_post) - All inputs sanitized; all outputs escaped
- SQL prepared statements throughout
- No direct file access (ABSPATH check)
- XSS protection in JavaScript layer (
escapeHtml()) - CDN-loaded OpenPGP.js protected by SHA-384 SRI hash—browser rejects tampered responses
- Browser Sign private key never leaves browser memory; never transmitted to server
Compatibility
Tested broadly across server configurations and WordPress environments.
- WordPress 5.0 – 6.7+
- PHP 7.4 – 8.3
- MySQL 5.7 – 8.0 / MariaDB 10.3 – 11.0
- Shared hosting (no special PHP extensions)
- Works with Redis, Memcachedd, and all page cache plugins
- Requires ArchivioMD v1.5.0+
Cache & Performance
Intelligent cache invalidation ensures UI and database remain perfectly synchronized after every verification.
clean_post_cache()after every database writewp_cache_delete()for object cache (Redis/Memcached)- No-cache headers on AJAX verification responses
- Post-update verification checks detect race conditions
- <10ms overhead per verification operation
Database Schema
Two clean, indexed tables—one for signatures, one for audit events. No schema migrations needed on update.
wp_archivio_id_signatures— per-post signature datawp_archivio_id_audit_log— event history- Indexed on
post_id,timestamp_utc,status - Cleaned on plugin uninstall
- No schema changes between v1.0 and v1.3.1
Browser Sign & OpenPGP.js
In-browser key generation and signing powered by OpenPGP.js 6.3.0—bundled locally and loaded via CDN with integrity protection.
- OpenPGP.js 6.3.0 (LGPL-3.0) — bundled at
assets/js/openpgp.min.js - CDN (unpkg.com) used as main source; bundled file as automatic fallback
- CDN request protected by SHA-384 Subresource Integrity hash
- SRI hash auto-computed from bundled file and cached as WP transient
- Ed25519 (Curve25519) key generation in-browser
- Session-encrypted key storage in
sessionStorage— cleared on tab close
AJAX & UI
Rich asynchronous verification flow with graceful error handling and seamless state synchronization.
- AJAX-powered upload and verification—no page reload required
- Structured JSON responses with full badge and status data
- Auto page-reload after verification (2s delay) for post cache
- Network error handling and console logging for debugging
- WCAG 2.1 AA accessible admin and front-end components
Who Should Use ArchivioID?
Any WordPress site where authorship authenticity and post integrity needs to be provable, not just claimed.
Investigative Journalists
Publish sensitive findings with cryptographic evidence of authorship and content integrity. Readers (and courts) can independently check that an article hasn't been altered since publication.
Security Researchers
Sign CVE disclosures, vulnerability reportss, and evidence-of-concept posts so the community can check the disclosure is genuine and unchanged—even months subsequently.
Legal & Compliance Teams
Keep a timestamped, auditable record of policy publications. The audit log provides a compliance-ready trail of who published what, whenn, and that it was cryptographically verified.
Academic Researchers
Publish findings, preprints, or data summaries with a signature that ties them to your established GPG identity—providing a traceable chain of academic provenance.
Open Source Maintainers
Sign release notes, security advisoriess, and changelogs on your project’s WordPress site with the same GPG key used for software releases—a single verifiable identity across all channels.
DevOps & SRE Teams
Pair with ArchivioMD’s infrastructure documentation to sign runbooks, incident reportss, and change logs—creating an auditable, tamper-clear operational record inside WordPress.
Ready to Sign Your Posts?
Install ArchivioMD, then add ArchivioID. Upload your public key, sign a postt, and have a cryptographically verifiable, audit-logged, badged article live in under ten minutes.