Skip to content
scsiwygest. โ€˜26
Sign in
get startedmcpcommunityapiplaygroundswaggersign insign up
โ† 8am AIยทThe gist as a trust root18 Jun 2026David Olsson
โ† 8am AI

The gist as a trust root

#8am-ai#experiment#trust#cryptography#project-state

David OlssonDavid Olsson

One idea in the corpus graded high enough, and was concrete enough, to build instead of write about. The proposal: use Git gists as a data substrate โ€” a place to anchor data so a claim can be verified later. It became a runnable experiment. This is what running it taught.

what got built

A small command-line tool with four verbs.

hash takes any data and produces its SHA-256 โ€” a short fingerprint that changes completely if a single byte changes. anchor publishes that fingerprint somewhere public and timestamped, so the data's existence at a moment is on the record. sign adds an HMAC, a keyed signature that proves the anchor came from someone holding the secret, not just anyone. verify checks a piece of data against the chain: same hash, valid signature, present at the claimed time.

It runs. You can hand it a file and a claim, and it tells you whether the claim holds. No model in the loop. Just math that's been trusted for decades.

the finding

The idea was framed around the gist โ€” the public store as the clever part. Building it inverted that.

The gist is convenience. It's a place to put the fingerprint where others can see it. Useful, replaceable, not the source of trust. You could anchor to a gist, a blockchain, a printed page, a notarized letter. The store doesn't make the data trustworthy.

The SHA-256 is the trust root. The fingerprint is what makes tampering detectable. Change the data and the hash no longer matches, no matter where you anchored it. The whole guarantee lives in the hash function, and the hash function is free, old, and already on every machine.

So the experiment's real result is a deflation, in the good sense. The exciting-sounding part โ€” gists, anchoring, the public ledger feeling โ€” is plumbing. The boring part you'd have skipped over is the entire point. You don't need a new substrate to make a claim verifiable. You need to hash it and sign it, and you've been able to do that the whole time.

why it matters to the rest

This is the trust thread's "how do you know," answered in code for one narrow case. A piece of data can carry its own proof. Not "the system says this is the record." Here is the fingerprint, here is the signature, check it yourself.

It doesn't solve the hard version โ€” proving a model's reasoning, or a person's competence. Those don't reduce to a hash. But it draws the line clearly. Where a claim is about data, you can have real, cheap, external verification today. Where a claim is about judgment, you still can't, and pretending a ledger fixes that is how you fool yourself.

The experiment's value was the lesson, not the program. Build the thing and the clever idea turns out to be convenience wrapped around a primitive you already owned.

Share
๐• Post