TrustVer 🔏 v0.3.0

Provenance-aware versioning for AI-era software. Know how much effort an update requires, who or what wrote it, and what verification was applied.

Read the Spec Star on GitHub
2.4.0+hrai
2.4.0 = effort level (EffVer)
hrai = human-reviewed AI

Key Features

📊 EffVer effort semantics (Macro / Meso / Micro)
🏷️ Authorship tags in the version string
📝 Commit convention with per-commit provenance
📋 Signed Provenance Attestation Documents (PADs)
🔐 ECDSA P-256 signing via SchemaPin
🔄 Append-only attestations (test, audit, pentest)
📦 Full SemVer tooling compatibility
🤖 Auto-derive authorship from commit history
⚙️ Rust CLI with git hook integration
🔍 Sigstore/cosign support for CI signing

Authorship Tags

Tag Meaning Example
h Human-authored 1.0.0+h
ai AI-generated (no human review) 1.2.0+ai
hrai Human-reviewed AI 2.4.0+hrai
aih AI-assisted human 3.1.1+aih
auto Autonomous agent 0.7.3+auto
mix Mixed / indeterminate 0.2.0+mix

Install

Pre-built binaries (Linux, macOS, Windows)

# Download from GitHub Releases
curl -fsSL https://github.com/tarnover/TrustVer/releases/latest/download/trustver-v0.1.0-aarch64-apple-darwin.tar.gz | tar xz
sudo mv trustver /usr/local/bin/

Available for: x86_64-linux, aarch64-linux, aarch64-apple-darwin, x86_64-windows. See all releases.

From source (requires Rust toolchain)

cargo install --git https://github.com/tarnover/TrustVer trustver-cli

Verify release signatures

# All binaries are signed with Sigstore cosign
cosign verify-blob \
  --certificate trustver-v0.1.0-*.pem \
  --signature trustver-v0.1.0-*.sig \
  trustver-v0.1.0-*.tar.gz \
  --certificate-identity-regexp="https://github.com/tarnover/TrustVer" \
  --certificate-oidc-issuer="https://token.actions.githubusercontent.com"

Quick Start

# Initialize your project
trustver init --name mylib

# Bump version (authorship auto-derived from commits)
trustver bump meso

# Generate and sign a PAD
trustver key generate
trustver pad generate --artifact dist/mylib.tar.gz
trustver pad sign mylib-1.1.0+hrai.pad.json \
  --key .trustver/keys/trustver-private.pem \
  --public-key .trustver/keys/trustver-public.pem \
  --signer you@example.com

# Validate
trustver pad validate mylib-1.1.0+hrai.pad.json --verify \
  --public-key .trustver/keys/trustver-public.pem

The three layers of TrustVer:

🏷️

Version String

Effort level + authorship tag. Human-readable, SemVer-compatible. Answers: how hard is this update? and who wrote it?

2.4.0+hrai
📝

Commit Convention

Ground-truth authorship at the commit level. Extends Conventional Commits with [tag] and trailers.

feat(auth): add PKCE [hrai]
📋

PAD

Signed JSON sidecar with artifact hashes, build provenance, and append-only attestations. The full trust record.

mylib-2.4.0.pad.json

CLI Commands

Version & Commits

  • trustver init — initialize project
  • trustver bump — bump with auto-authorship
  • trustver validate — validate version string
  • trustver check-commit — validate commit
  • trustver audit — provenance summary
  • trustver hook install — git hook

PAD & Signing

  • trustver key generate — ECDSA keypair
  • trustver pad generate — create PAD
  • trustver pad sign — sign PAD
  • trustver pad attest — add attestation
  • trustver pad validate — validate PAD