FIDEDocs
WorkspaceGraphGatewayFCP
Fide Context ProtocolGuidesSDKs

Attesting + Rekor

The end-to-end Fide Context Protocol flow: create statement batches, sign attestations, anchor in Rekor, and verify in GitHub Actions.

This page explains the full flow in plain language.

Goal: publish Fide Context Protocol attestations in Git, then anchor them in Rekor so anyone can independently verify what happened.

What Gets Written

In the template repo, everything lives under .fide/:

  • .fide/statements/YYYY/MM/DD/{merkleRoot}.jsonl
  • .fide/statement-attestations/YYYY/MM/DD/{YYYY-MM-DD-HHmm}-{attestationShortId}.jsonl
  • .fide/rekor-proofs/YYYY/MM/DD/{YYYY-MM-DD-HHmm}-{attestationShortId}.json

Why Two Files?

statements holds the full statement batch (one statement per line). statement-attestations holds the signed commitment (m, u, r, s, t). The r field (Merkle root) links them.

Simple End-to-End Flow

1. Create a Statement Batch

Write one or more statements that you want to publish.

2. Build a Merkle Root

The batch gets one Merkle root (r). This root is the commitment to the full batch.

3. Sign the Root

Sign the root as an FCP attestation (for example with ed25519).

4. Write Files to .fide/

Write:

  • batch statements to .fide/statements/.../{merkleRoot}.jsonl
  • signed attestation metadata to .fide/statement-attestations/.../{timestamp}-{id}.jsonl

5. Commit + Push to GitHub

This publishes your .fide records publicly (or to your private repo if you choose).

6. Submit to Rekor

Take the latest statement-attestation file, digest it, sign that digest, and submit to Rekor v2.

7. Save Rekor Proof Output

Save the Rekor response and request context under .fide/rekor-proofs/....

Use keyless Sigstore (GitHub OIDC + Cosign) in GitHub Actions and verify that the signer identity matches your workflow.

Local Commands (Template)

From repo root:

pnpm demo:fide-attestor-template:seed
pnpm demo:fide-attestor-template:rekor
pnpm demo:indexer:index

What each does:

  • seed: creates statements + statement-attestation files
  • rekor: submits latest statement-attestation file to Rekor and writes .fide/rekor-proofs
  • index: verifies and materializes using the attestation + statement batch

GitHub Keyless Flow

Template workflow:

  • .github/workflows/rekor-keyless-demo.yml

It does this:

  1. Finds the latest .fide/statement-attestations/**/*.jsonl
  2. Runs cosign sign-blob keylessly (GitHub OIDC)
  3. Uploads to Rekor
  4. Verifies identity with:
    • certificate issuer: https://token.actions.githubusercontent.com
    • certificate identity regex bound to your repo + workflow + branch
  5. Uploads .fide/rekor-proofs/** as a run artifact

If you see Verified OK, the workflow identity proof passed.

About Time

The t field in statement-attestations is useful metadata, but treat it as convenience unless your app signs timestamp semantics directly.

For stronger external timing evidence, rely on Rekor inclusion material (and TSA if your workflow requires RFC3161 timestamps).

Rekor v2 Note

You may see integratedTime: "0" in Rekor v2 responses. This is expected in current Rekor v2 behavior and does not mean submission failed.

What This Proves

With this flow, a verifier can check:

  1. The statements hash to the Merkle root r
  2. The attestation signature is valid for that root
  3. The attestation artifact was anchored in Rekor
  4. (If using GitHub keyless) the signing identity matches your GitHub workflow

Attesting

The protocol specification for creating verifiable attestations.

Broadcasting

Register signed attestations into distributed Fide attestation registries for discovery.

On this page

What Gets Written
Simple End-to-End Flow
1. Create a Statement Batch
2. Build a Merkle Root
3. Sign the Root
4. Write Files to .fide/
5. Commit + Push to GitHub
6. Submit to Rekor
7. Save Rekor Proof Output
8. Verify Identity in CI (Optional but Recommended)
Local Commands (Template)
GitHub Keyless Flow
About Time
What This Proves