ArchivioID

ArchivioID is an add-on plugin for ArchivioMD that adds a full cryptographic identity and signature layer to your WordPress site. It manages GPG public keys, verifies detached OpenPGP signatures on posts, supports multi-signer workflows with configurable thresholds, and exposes public proof pages so anyone can verify authenticity without logging in.

Key Features

• Public Key Management: Store, manage, and rotate GPG public keys with expiry tracking and administrator alerts
• Post Signature Verification: Upload detached .asc signature files for posts — verified automatically using phpseclib v3
• Browser-Based Signing: Sign posts directly in the WordPress admin using a browser-held key — no server-side key material required
• Multi-Signature Workflows: Collect signatures from multiple key holders on a single post; each signer identified by key fingerprint and timestamp
• Configurable Signature Threshold: Require a minimum number of verified signatures before a post displays the verified badge — configurable globally or per post type
• Algorithm Enforcement Floor: Block weak signature algorithms (MD5, SHA-1) and enforce minimum RSA/DSA key sizes at upload, REST submission, and re-verification time
• Automated Re-Verification: Daily WP-Cron job re-verifies all signed posts and flags content that has changed since signing
• Key Expiry Notifications: Email alerts at 30, 14, and 3 days before a key expires, sent to the key owner or site admin
• Key Rotation Workflow: Admin UI for generating replacement keys, migrating existing signatures, and retiring old keys
• Bulk Verification: Verify all signed posts in a single admin action with per-post status reporting
• REST API: Full REST endpoint for programmatic signature submission, key retrieval, and verification status
• Key Server: Publishes active public keys at a stable well-known endpoint for external verifiers
• Bundle Download: Downloadable evidence package (hash, signatures, key fingerprints, timestamps) for any post
• Public Proof Pages: Stable public permalink at /archivio-id/verify/{post_id} — renders full chain of custody without requiring admin access
• Audit Logging: Immutable log of all verification attempts, key changes, and rotation events
• WP-CLI Support: Full CLI interface for batch operations and automated pipelines
• Visual Status Badges: Front-end badge showing verified / unverified / threshold-unmet status on every post

Requirements

• WordPress 6.0 or higher
• PHP 7.4 or higher (tested up to PHP 8.5)
• ArchivioMD plugin version 1.5.0 or higher (required parent plugin)

How It Works

1. Upload your GPG public key via the ArchivioID → Key Management admin page
2. Create or edit a post in WordPress
3. Upload a detached .asc signature file for the post, or sign directly in the browser
4. ArchivioID verifies the signature immediately and on every subsequent automated re-verify run
5. A verification badge appears on the front end; a public proof page is available at a stable permalink

Technical Details

• Uses phpseclib v3 for all cryptographic operations — no system GPG installation required
• Uses OpenPGP-PHP for packet parsing and key handling
• All key material and signatures stored in dedicated WordPress database tables
• Algorithm enforcement floor consulted at upload, REST submission, and re-verification time
• Multi-signature threshold evaluated before displaying the verified badge
• Public proof pages require no admin login — safe to share externally
• Fully WordPress coding standards compliant

External Services

This plugin can make outbound HTTP requests to the following third-party services. All external lookups are opt-in and can be disabled under ArchivioID → Settings → Key Server Lookup.

keys.openpgp.org (VKS API) When an administrator uses the Key Management page to look up a GPG public key by fingerprint or email address, the plugin sends a GET request to https://keys.openpgp.org/vks/v1/. No personal data beyond the fingerprint or email address entered by the administrator is transmitted. This request is made only on explicit administrator action and only when the «Allow key server lookup» setting is enabled. * Service: https://keys.openpgp.org * Privacy policy: https://keys.openpgp.org/about/privacy

WKD — Web Key Directory (user’s email domain) When an administrator looks up a key by email address, the plugin may also query the Web Key Directory endpoint on the domain portion of that email address (e.g. https://example.com/.well-known/openpgpkey/). This follows the OpenPGP Web Key Directory specification (draft-koch-openpgp-webkey-service). The request is made only on explicit administrator action and only when key server lookup is enabled. * Specification: https://datatracker.ietf.org/doc/draft-koch-openpgp-webkey-service/ * The domain contacted is determined entirely by the email address the administrator enters; it is not a fixed third-party service.

Identity Proof URLs (user-supplied) Administrators may optionally store a public identity proof URL alongside each key (for example, a Keyoxide or Keybase profile page). These URLs are stored in the WordPress database and displayed as links in the frontend badge tooltip. The plugin itself makes no outbound request to these URLs; they are rendered as standard hyperlinks for visitors to follow voluntarily. * Keyoxide: https://keyoxide.org * Keybase: https://keybase.io * Any HTTPS URL may be entered; the plugin validates only that the value is a well-formed HTTPS URL.

Source Code for Bundled Minified JavaScript

This plugin includes assets/js/openpgp.min.js, the minified build of OpenPGP.js.

• Project home: https://openpgpjs.org
• Source code: https://github.com/openpgpjs/openpgpjs
• License: LGPL-3.0-or-later
• Version used: 5.x (see assets/js/openpgp.min.js file header for exact version)

To reproduce the minified file from source:

git clone https://github.com/openpgpjs/openpgpjs.git cd openpgpjs npm install npm run build # produces dist/openpgp.min.js `

Copy dist/openpgp.min.js to assets/js/openpgp.min.js in this plugin.

Security

• All inputs sanitized and validated; all outputs escaped
• Nonce verification on all forms and AJAX handlers
• Capability checks (manage_options) on all admin actions
• REST API write endpoints require authentication
• SQL prepared statements throughout; no raw query interpolation
• Algorithm enforcement floor blocks known-weak cryptographic primitives

Support

For support, please visit: https://mountainviewprovisions.com/archivio-id

License

This plugin is licensed under GPLv2 or later.