Skip to content

notvcto/vwh

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

18 Commits
.github
.github
 
 
crates
crates
 
 
docs/man
docs/man
 
 
examples
examples
 
 
.gitignore
.gitignore
 
 
CHANGELOG.md
CHANGELOG.md
 
 
Cargo.lock
Cargo.lock
 
 
Cargo.toml
Cargo.toml
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
SPEC.md
SPEC.md
 
 

Repository files navigation

VWH (Victor Was Here)

Crate

VWH is a cryptographic artifact format and public inspector for proving that a specific intent was recorded at a point in time. Artifacts are immutable once signed, and verification works offline. A network registry is optional and advisory.

This repository contains only public components:

  • vwh-core (library): format parsing, hashing, signing, verification
  • vwh (CLI): public inspector for .vwh artifacts

The private authoring tool used to create and sign artifacts is intentionally not included here.

Status: v1 format, stable for public inspection.

Key Ideas

  • Offline-first: Signature verification never depends on the network.
  • Immutable: Signed artifacts cannot be modified without invalidating the signature.
  • Advisory registry: Optional trust context for key status and revocations.

Artifacts

  • Binary format, fixed size (128 bytes)
  • Signed with Ed25519
  • Includes a public key and intent

Installation

cargo build --release

Binaries will be at:

target/release/vwh

Usage

Binary name by OS:

  • macOS/Linux: vwh
  • Windows: vwh.exe

If running from build output:

  • macOS/Linux: ./target/release/vwh
  • Windows (PowerShell): .\target\release\vwh.exe

Inspect a file:

vwh inspect artifact.vwh

Offline mode:

vwh inspect artifact.vwh --offline

Custom registry URL:

vwh inspect artifact.vwh --registry https://example.com/registry

Or via environment variable:

export VWH_REGISTRY_URL=https://example.com/registry
vwh inspect artifact.vwh

Windows (PowerShell):

$env:VWH_REGISTRY_URL = "https://example.com/registry"
vwh.exe inspect artifact.vwh

Windows (CMD):

set VWH_REGISTRY_URL=https://example.com/registry
vwh.exe inspect artifact.vwh

Registry (Optional)

If available, the inspector fetches:

  • keys.json
  • ledger.json

Default registry base URL:

  • https://notvc.to/vwh-registry

Registry data is advisory only. Signature validity is always authoritative and local.

🏴‍☠️ The "Frame Me" Challenge

VWH separates Mathematical Validity from Authority.

To demonstrate this, I've published the demo key with its passphrase.

Your mission: Use vwh-core to create a malicious artifact.

What you have:

The result: Your artifact will have a ✅ cryptographically valid signature
But registry will flag it as ⚠️ UNTRUSTED/DEMO

This proves: Even with a compromised key, the registry prevents unauthorized attribution.

Hint: Everything you need is in vwh-core. Start with ArtifactBuilder and signing_bytes().

cargo test --workspace
cargo fmt --check
cargo clippy --workspace -- -D warnings

License

MIT (see LICENSE).

About

The VWH Accountability Standard. A native Rust CLI for cryptographically verifying digital artifacts.

Topics

rust cli security cryptography verification provenance forensics file-format ed25519 digital-signature accountability supply-chain-security

Resources

Readme

License

MIT license
Activity

Stars

4 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases 4

v1.0.2 Latest
Feb 11, 2026
+ 3 releases

Sponsor this project

  •  
Learn more about GitHub Sponsors

Contributors

Languages