Skip to content

Consider timestamping hash files

💡 Proposal

Last weekend I was at the merge-it 2025, and a person presented OpenTimestamps (on Wikipedia), which is a way to put a timestamp to files for free.

It's basically some API calls for which clients already exist (and it should be as easy as calling them from the command line).

User Story

As a user, I want to be sure that the hashes published in TPO haven't been tampered after the actual publication.

So, I'd like to have a time proof to check them.

Security and Privacy Implications

Security

No changes for the users.

But we'd have to trust the service to do its things as expected.

Shall the service become compromised, how would users be able to tell the service is compromised, rather than TPO?

Privacy

No changes

Accessibility Implications

No changes

Other Trade-Offs

See above.

Prior Art

Does this feature exist in other browsers?

  • Yes
    • Firefox
    • Firefox ESR
    • Other (please specify)
  • No

I found an issue for Qubes: https://github.com/QubesOS/qubes-issues/issues/2847

I've been told bitcoin core uses it to timestamp git commits, but I haven't been able to find documentation about it (I found documentation about how to do it, but not about projects actually doing it).

Does this feature exist as an extension? If yes, which one provides this functionality?

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information