Added Public Proof Pages. A stable public permalink /archivio-id/verify/{post_id} renders the full chain of custody for any published post — content hash, signer fingerprints, algorithms, timestamps, and key metadata — without requiring admin access. Private, draft, and password-protected posts return 404. Flush permalinks after upgrading to activate the new route.
Added Algorithm Enforcement Floor. A configurable policy blocks signature files using weak hash algorithms (MD5, SHA-1 by default) and enforces minimum RSA/DSA key sizes (2048 bits by default). Enforcement runs at upload, REST submission, and automated re-verification time. Configurable from Settings → Algorithm Policy.
Added Multi-Signer Threshold Policy. A configurable minimum verified-signature count must be met before a post displays the verified badge. Configurable globally or per post type from Settings → Signature Threshold.
Fixed activation fatal error: on_activate() called ArchivioID_Cron_Verifier::schedule() and ArchivioID_Expiry_Notifier::schedule() before those class files were loaded. Both on_activate() and on_deactivate() now guard with class_exists + require_once.
Fixed PHP parse error in admin/views/settings.php line 244: typographic apostrophe inside a single-quoted string. Replaced with an escaped straight apostrophe.
5.0.0
Database schema version bump to 5.0.0.
Added identity_proof_url column to the keys table — store a public URL alongside each key as an optional identity assertion (e.g. a Keybase proof or GitHub profile).
Added sign_method column to the signatures table tracking whether a signature was file-uploaded, browser-signed, or REST-submitted.
Added sig_metadata column to both the signatures table and the multi-signatures table for structured per-signature provenance metadata.
Signature type chips added to the front-end badge surfacing the sign_method for each signature.
4.0.0
Added Key Expiry Notifier. A daily WP-Cron job checks all stored keys for upcoming expiry and sends email alerts at 30, 14, and 3 days before the expiry date. Emails are sent to the key’s recorded owner, falling back to the site admin.
Added Bulk Verification admin page. Verify all signed posts in a single action with a live progress table.
Added Key Rotation admin UI for generating replacement keys, re-signing posts, and retiring old keys without manual database operations.
3.0.0
Added Automated Re-Verification cron. A daily WP-Cron job re-verifies all posts with stored signatures and flags any post whose content has changed since signing. Scheduled on activation; unscheduled on deactivation.
Added Bundle Download. A downloadable evidence package for any signed post containing the canonical content hash, all .asc files, signer fingerprints, algorithms, and timestamps.
2.0.0
Added Multi-Signature Store. Multiple key holders can independently sign the same post; each (post_id, key_id) pair tracked in a dedicated archivio_id_multi_sigs table with its own verification status and timestamp.
Added REST API at /wp-json/archivio-id/v1/ for programmatic signature submission, key listing, and verification status. All write endpoints require authentication.
Added Key Server. Active public keys published at a stable well-known endpoint for external verifiers.
1.3.1
Improved OpenPGP packet parsing robustness. Hardened the verifier against malformed or truncated .asc files.
Improved error messages for unsupported key types and algorithm mismatches.
1.3.0
Added Browser-Based Signing. Sign post content directly in the admin using a browser-held GPG key. The signing operation runs entirely client-side; only the resulting detached signature is submitted to the server.
