pedigree/
cryptographic provenance · macOS-first

Cryptographic provenance for files, teams, and evidence.

Pedigree turns local macOS workflows into independently verifiable audit trails: hash-chained events, signed checkpoints, sealed log segments, witness receipts, hybrid post-quantum signatures, and STARK/FRI-ready selective proof commitments.

Inspect a proofRead the security model
signature lanes
P-256 + ML-DSA-65
ZK posture
STARK/FRI-ready
key custody
Secure Enclave
pedigree-inspector · proof-bundle.pdgVERIFIED
0001H=3a9f…b21e
0002H=7c14…0a8d
0003H=ee52…91ff
0004H=1d20…cc73
checkpoint @ seq 0004 · sig: P-256 ✓ · ML-DSA-65 ✓
0005H=b6a1…44e0
0006H=9f82…7d11
witness receipt · observed head 0006 · t+1.2s
selective proof · STARK/FRI public inputs · Merkle roots ✓
$ pedigree verify ./bundle.pdg --witness=notary.eu1
✓ chain ok · ✓ pq signatures · ✓ witness · ✓ selective commitments
01 · capabilities

What Pedigree proves

Each claim below maps to a check a third-party verifier can run independently against an exported proof bundle.

artifact integrity

The included subject artifact matches its committed hash.

sequence integrity

The event sequence has not been silently mutated, reordered, or truncated relative to its signed checkpoints.

device authorship

The checkpoint was signed by the recorded device key bound in the key directory.

hybrid signatures

In production mode, signatures include a classical P-256 lane and an ML-DSA-65 post-quantum lane covering the same canonical payload.

off-device observation

A witness receipt proves an off-device service observed a checkpoint head at a specific sequence.

rollback / equivocation

Conflicting or older heads can be detected when compared against witnessed state from independent observers.

revision custody

Pedigree-native revisions bind snapshot digests, parent revision IDs, changed paths, and signer identity into signed records.

ref movement

Named refs move through signed append-only update records, so reviewers can see which revision a workflow pointer selected.

conflict records

Divergent same-path file states can be recorded as explicit conflict records instead of being hidden inside Git-only metadata.

02 · honest scope

What Pedigree does not pretend to prove

A useful provenance system is defined as much by what it refuses to claim as by what it can verify.

  • It does not prove that a statement is true.
  • It does not prove a file was never generated by AI.
  • It does not make local disk bytes physically immutable.
  • It does not require a blockchain.
  • It does not expose private file contents to a witness.
  • It does not replace Git remotes, branches, checkout, or CI workflows.
03 · architecture

Proof architecture

Each layer commits cryptographically to the layer beneath. Verification recomputes the chain top-down and rejects any mismatch.

  1. L1subject artifact hashingSHA-256 over canonical bytes
  2. L2canonical event recordsdeterministic CBOR / JCS
  3. L3hash-chained append-only feedH(n) commits to H(n-1)
  4. L4sealed segment filesfsync + commit hash
  5. L5signed segment closure manifestsP-256 + ML-DSA-65
  6. L6signed feed checkpointshead, root, seq, time
  7. L7device key directorybinds keys to identities
  8. L8witness receiptsoff-device observed heads
  9. L9Pedigree revisionssigned snapshot digests + parents
  10. L10signed ref updatesappend-only workflow pointers
  11. L11conflict recordslocal vs incoming file states
  12. L12Git interop recordsattributed merge lifecycle bridge
  13. L13selective proof commitmentsevent + artifact Merkle roots
  14. L14exported proof bundle.pdg portable archive
  15. L15browser-side Pedigree Inspectoroffline verifier
event hash recurrence
H(n) = Hash(
    seq
 || timestamp
 || canonicalPayload
 || H(n-1)
)

Each event commits to the previous head. Checkpoints commit to the feed state. Sealed segments commit to local written bytes. Witness receipts commit to checkpoint heads observed off-device.

Verification recomputes the chain end-to-end and rejects any divergence in hashes, signatures, segment closures, or witnessed heads.

commitment graphappend-only · tamper-evident
E₁ · H1
E₂ · H2
E₃ · H3
E₄ · H4
E₅ · H5
checkpoint(seq=5, root=H₅) · sig(P-256, ML-DSA-65)
witness receipt · observed head=H₅
03b · git interop

Git stays a bridge. Pedigree owns the proof.

Developer teams can keep Git for source code while Pedigree records provenance around non-code folders, approvals, evidence, signed revisions, and proof bundles.

keep git

Developer workflow interop

Pedigree keeps Git merge bridge records for developer workflows: branch names, base and merge-head revisions, resolution state, and committed Git hashes can be attributed in the audit timeline.

native

Business-file revisions

For non-code folders, Pedigree now records signed revision snapshots, signed ref movement, and explicit conflict records without requiring a .git directory.

boundary

Not a full Git replacement

Pedigree does not claim Git checkout, remotes, branch negotiation, rebasing, packfiles, or CI ecosystem replacement. Git remains the right tool for source-code collaboration.

The product boundary is deliberate: Git describes developer source history; Pedigree records verifiable chain-of-custody around files, approvals, evidence, secure shares, native business-file revisions, and proof export. A verifier can inspect Git-related activity as attributed events without trusting Git as Pedigree’s storage layer.

04 · cryptography

Hybrid quantum-safe signatures

Pedigree production signatures are hybrid by default. Both lanes cover the same canonical payload, and the verifier checks key-directory bindings rather than trusting public keys embedded in signatures.

classical lane

P-256 (Secure Enclave)

Secure Enclave or non-exportable Keychain P-256 acts as the classical compatibility lane. Wide ecosystem support for HSM-style enforcement, attestation, and existing PKI.

post-quantum lane

ML-DSA-65 (FIPS 204)

ML-DSA-65 anchors long-lived evidence against future cryptanalytic capability. Required in production quantum-safe mode; classical-only mode exists for ecosystem migration.

binding

canonical payload

Both signatures cover the identical canonical-encoded payload. A divergent payload between lanes fails verification.

trust

key directory

Verifiers resolve signer identity through the device key directory rather than embedded public keys, enabling key rotation and revocation.

witness

witness receipts

Witnesses can themselves sign hybrid receipts, extending PQ assurance through the observation layer.

“Classical where ecosystems need it. Post-quantum where long-lived evidence demands it.”

05 · disclosure

Quantum-safe selective disclosure.

Pedigree now exports STARK/FRI-ready proof envelopes: public inputs, transcript hashes, and Merkle commitments over event-feed prefixes and subject artifacts. The construction avoids pairing-based SNARK assumptions in the long-term evidence path.

shipped · commitment verifier
  • · Each export can include a pedigree-selective-zk-proof/v1 record.
  • · Public inputs bind root, feed, checkpoint hash, sequence, subject paths, artifact hashes, and predicate.
  • · Inspector recomputes event and artifact Merkle roots and rejects transcript mismatches.
  • · Witnesses still observe only signed metadata, never plaintext payloads.
next · STARK witness transcript
  • · Attach a transparent STARK/FRI proof transcript to the same public-input envelope.
  • · Prove policy predicates like approval before T or artifact in witnessed state.
  • · Keep verifier assumptions hash-based and post-quantum; avoid Groth16, KZG, pairings, and elliptic-curve commitments for long-lived evidence.
06 · threats

Threat model

Concrete adversary actions and the cryptographic primitives that make them detectable.

threatmitigation
MutationHash chain and signature verification.
Insertion / reorderingSequence numbers and previous-head commitments.
TruncationCheckpoint comparison and witness latest-head tracking.
RollbackWitness receipts and peer-observed heads.
EquivocationWitness rejects conflicting heads for the same root/feed/sequence.
Key compromiseKey rotation, historical public-key records, witness directories.
Metadata overclaimingConservative evidence labels and proof interpretation.
07 · platform

macOS trust anchor

Pedigree’s production macOS runtime uses protected signing keys. Secure Enclave is used for key protection and signing when available; otherwise non-exportable Keychain P-256 is used. The log itself remains on APFS. Security comes from signed checkpoints, sealed segments, and external witness receipts — not from pretending the enclave stores the log.

key custody

Secure Enclave / Keychain

Non-exportable P-256 private keys. ML-DSA-65 keys held under Keychain ACLs with biometric or passcode gating where supported.

storage

APFS sealed segments

Append-only segment files with closure manifests. fsync + segment hash captured before signing the closure.

anti-rollback

Off-device witnesses

Witness services observe checkpoint heads. Local rollback is detectable against any independently observed head.

“Secure Enclave signs the checkpoints. APFS stores the log. Witness receipts prevent silent rollback.”

08 · verification

Proof bundle verification

The verifier checklist is identical whether you run the Pedigree Inspector in your browser or the pedigree CLI on an air-gapped workstation.

▸ live · pedigree inspector

tamper an event or stale the witness — the failing check turns red
pedigree-inspector · sample-bundle.pdgwebcrypto · ecdsa p-256 · sha-256 · in-browser

event log · canonical payloads

head:
  1. seq=0001 · artifact.createH=
    subject="design-spec.pdf" sha256=3a9f…b21e
    2026-04-22T09:14:02Z
  2. seq=0002 · share.grantH=
    recipient="alice@acme.io" scope=read ttl=72h
    2026-04-22T09:18:41Z
  3. seq=0003 · approval.signH=
    approver="device:enc1.A93F" decision=approve
    2026-04-22T11:02:17Z
  4. seq=0004 · checkpoint.emitH=
    seq=4 root=<chain-head>
    2026-04-22T11:02:18Z

verifier checklist

  • ·
    Canonical event encoding
  • ·
    Hash chain recurrence H(n)=Hash(seq‖ts‖payload‖H(n-1))
  • ·
    Chain head matches checkpoint root
  • ·
    ECDSA P-256 checkpoint signature
  • ·
    ML-DSA-65 lane present
  • ·
    Witness receipt observed head
  • ·
    No rollback / equivocation

Hashes computed via crypto.subtle.digest. Signature verified via crypto.subtle.verify against a non-extractable P-256 key. No network calls.

  • 01Recompute artifact hashes.
  • 02Validate event hash chain.
  • 03Validate sealed segment hashes.
  • 04Verify event, checkpoint, segment, witness, and bundle signatures.
  • 05Check ML-DSA-65 signatures in quantum-safe mode.
  • 06Recompute selective-proof event and artifact Merkle commitments.
  • 07Reject malformed STARK/FRI public inputs or transcript hashes.
  • 08Compare local checkpoint against witnessed head.
  • 09Reject missing subject artifacts or hash mismatches.
  • 10Warn when proof is local-only and unwitnessed.
~/proofpedigree-cli · 0.9.4
$ pedigree verify ./bundle.pdg \
    --witness=notary.eu1 \
    --pq-required

[ok]   artifacts: 4/4 hashes match
[ok]   chain: 612 events, head=9f82…7d11
[ok]   segments: 3 sealed, manifests valid
[ok]   sig: P-256 ✓  ML-DSA-65 ✓
[ok]   checkpoint @ seq=612 signed by
       device:enc1.A93F (key-dir bound)
[ok]   witness: notary.eu1 observed
       head=9f82…7d11 at t+0.84s
[ok]   no rollback, no equivocation

verdict: VERIFIED · 0 warnings
09 · in practice

Use cases

Concrete deployments where verifiable provenance materially changes the cost of disputing a record.

creative authorship

Provable workflow history for source files: edits, exports, approvals, releases.

secure file sharing

Auditable share events with claim receipts, expiration, and recipient acknowledgements.

regulated approvals

Cryptographic approval trails suitable for SOX, HIPAA, and ISO 27001 evidence packs.

external evidence

Link emails (Mail), messages (Messages exports), and manual evidence into the chain with attributed hashes.

forensic review

A third-party analyst can verify a proof bundle without contacting Pedigree’s infrastructure.

MCP / AI investigation

Expose audit timelines via MCP for AI-assisted forensic queries against verified history.

10 · third parties

For verifiers

A reviewer can validate a proof bundle without trusting Pedigree’s cloud, without installing the macOS agent, and without contacting the original signer.

  1. 01Load proof bundle in Pedigree Inspector (browser-side, offline).
  2. 02Verify signatures and hash chains entirely in-browser via WebCrypto + WASM.
  3. 03Confirm witness receipts against published witness directory.
  4. 04Check subject artifact hashes against the included or supplied files.
  5. 05Read warnings for local-only proofs or missing evidence.
11 · faq

Technical FAQ

Answers in the same voice we’d use in a security review, not a sales call.

?Is Pedigree a blockchain?+

No. Pedigree is a hash-chained, signed, append-only local feed with off-device witness receipts. There is no consensus, no distributed ledger, and no token. Optional anchoring to external transparency logs or public ledgers is a future extension, not a dependency.

?What does the witness see?+

Signed checkpoint metadata: feed root, sequence number, head hash, timestamp, and signer reference. The witness never receives plaintext file contents or full event payloads. It records the latest observed head and signs a receipt.

?What happens offline?+

The local feed continues recording with full hash-chain and device-key signatures. The result is a tamper-evident append-only history. Witness-based rollback and equivocation protection only applies once a checkpoint is observed by a witness.

?What makes a proof quantum-safe?+

Production quantum-safe mode requires every checkpoint, segment closure, and bundle signature to include a valid ML-DSA-65 (FIPS 204) signature in addition to the P-256 lane. Selective disclosure uses transparent hash-based STARK/FRI proof envelopes rather than pairing-based SNARK assumptions.

?Is this zero-knowledge?+

Pedigree exports a quantum-safe selective-proof envelope today: STARK/FRI public inputs, transcript hashes, and Merkle commitments that Inspector can recompute. A full hidden-witness STARK verifier is the next integration step before policy predicates should be marketed as complete ZK proofs.

?Can a privileged attacker delete local files?+

Yes — Pedigree does not claim physical disk immutability. What it does claim is that any deletion, mutation, or rollback becomes detectable when compared against signed checkpoints, sealed segment manifests, and any witness-observed heads.

?How are keys rotated?+

Device keys are bound through the key directory with explicit historical records. Rotation events are themselves signed and chained. Verifiers resolve the signer-of-record at the checkpoint’s time, not at verification time.

?What does a proof bundle contain?+

A canonical manifest, relevant event records, sealed segment manifests, signed checkpoints, witness receipts, key-directory entries, optional subject artifacts or committed hashes, and optional selectiveProofs records for STARK/FRI-ready disclosure.

?What does Pedigree mean by chain-of-custody?+

An attributed, ordered, append-only history of operations on a subject artifact, where each step is cryptographically committed to the previous step, signed by an identifiable device key, and (in production mode) externally observed by a witness.

· final

Verify the chain.
Don’t trust the screenshot.

Inspect a proof →Read the security model