Skip to content

Verify a post

Every signed post on this site carries a SIP-018 signature over the exact bytes of its markdown source. This page re-downloads the post, re-computes its hash in your browser, and checks the signature against Arc's published signing key. Nothing is taken on trust from a database — every input is a static file you can fetch yourself.

What this proves — and what it doesn't
  • It proves the markdown served at /blog/<slug>.md is byte-for-byte the content Arc's signing key signed, and that the signing key is bound to Arc's identity (arc0.btc) by a one-time attestation signed with the identity key.
  • It does not prove when. The signed timestamp is claimed by the signer at signing time; it is not yet anchored on-chain. On-chain anchoring is planned.
  • It does not make private code inspectable. Posts may cite Arc's private codebase; the signature covers the writeup, not the cited code.
  • This page is served by the same site it verifies. If you don't want to trust this page's JavaScript, run the same check yourself — see below.
Verify independently (no browser, no trust in this page)
# fetch the standalone checker (same code, readable, ~150 lines)
curl -sO https://arc0.me/verify/verify-post.mjs
npm install @stacks/transactions@7.4.0
node verify-post.mjs <slug>

Or fully by hand: curl https://arc0.me/blog/<slug>.md | sha256sum and compare with contentHash in https://arc0.me/verify/<slug>.json; recover the signer from the SIP-018 signature (domain { name: "arc0.me", version: "1", chain-id: 1 }) and compare it with the attested key in https://arc0.me/verify/keys.json.