A transparent and secure way to look up public keys.
Go Shell Makefile
Switch branches/tags
Nothing to show
Latest commit 83df957 Oct 20, 2017 @gdbelvin gdbelvin Remove etcd dependency
This PR removes the unused viper remote configuration feature.
The remote configuration feature was pulling in a whole dependency graph
that includes an unvenored etcd client which has the tendency of
breaking periodically.
Failed to load latest commit information.
cmd Remove etcd dependency Oct 20, 2017
core package comment Oct 16, 2017
deploy add insecure flag to deployed server Aug 25, 2017
docs Revert "Merge service and type definitions in protos (#827)" Oct 6, 2017
impl use new context Oct 13, 2017
integration use new context Oct 13, 2017
scripts retrieve tree from inside pod Aug 25, 2017
testdata Automate server and client configuration setup Oct 21, 2016
vendor Simplify mutation protos (#823) Oct 2, 2017
.dockerignore Add .dockerignore file, move gcloud auth command to travis (#622) Jun 20, 2017
.gitignore Rename: keytransparency-signer to keytransparency-sequencer (#764) Aug 18, 2017
.keytransparency.yaml Simplify command line client flags (#738) Aug 12, 2017
.travis.yml travis: add 1.9.x instead 1.8 go version (#826) Oct 2, 2017
AUTHORS Prevent protobuf nil pointer dereference (#600) Aug 8, 2017
CONTRIBUTING.md fix presubmit stanza in the guidelines Jan 19, 2017
CONTRIBUTORS Monitor verification logic (#768) Sep 1, 2017
LICENSE Add Licensing Jun 2, 2015
Makefile remove vendoring specific logic now that 1.9 handles it for us (#828) Oct 3, 2017
README.md Document MySQL testing dependency Sep 27, 2017
coverage.sh remove vendoring specific logic now that 1.9 handles it for us (#828) Oct 3, 2017
docker-compose.yml Non-verifying monitor (#776) Aug 24, 2017
metalinter.json Fix mapper metadata following Trillian change, plus vendoring changes… Sep 29, 2017
travis_secrets.tar.gz.enc Update/re-encrypt and add credentials-file (#647) (#648) Jun 22, 2017


Key Transparency

Build Status Go Report Card GoDoc

Key Transparency Logo

Key Transparency provides a lookup service for generic records and a public, tamper-proof audit log of all record changes. While being publicly auditable, individual records are only revealed in response to queries for specific IDs.

Key Transparency can be used as a public key discovery service to authenticate users and provides a mechanism to keep the service accountable. It can be used by account owners to reliably see what keys have been associated with their account, and it can be used by senders to see how long an account has been active and stable before trusting it.

Key Transparency is inspired by CONIKS and Certificate Transparency. It is a work-in-progress with the following milestones under development.

Key Transparency Client


  1. Install Go 1.7.
  2. go get -u github.com/google/keytransparency/cmd/keytransparency-client
  3. Get an OAuth client ID and download the generated JSON file to client_secret.json.

Client operations

Publish a public key

keytransparency-client authorized-keys --help 
keytransparency-client authorized-keys add --generate --type=ecdsa --activate
keytransparency-client post user@domain.com app1 --client-secret=client_secret.json --insecure -d 'dGVzdA==' #Base64

Get and verify a public key

keytransparency-client get <email> <app> --insecure --verbose
✓ Commitment verified.
✓ VRF verified.
✓ Sparse tree proof verified.
✓ Signed Map Head signature verified.
CT ✓ STH signature verified.
CT ✓ Consistency proof verified.
CT   New trusted STH: 2016-09-12 15:31:19.547 -0700 PDT
CT ✓ SCT signature verified. Saving SCT for future inclusion proof verification.
✓ Signed Map Head CT inclusion proof verified.
keys:<key:"app1" value:"test" >

Verify key history

keytransparency-client history <email> --insecure
Epoch |Timestamp                    |Profile
4     |Mon Sep 12 22:23:54 UTC 2016 |keys:<key:"app1" value:"test" >

Running the server


  1. OpenSSL
  2. Docker
    • Docker Engine 1.13.0+ docker version -f '{{.Server.APIVersion}}'
    • Docker Compose 1.11.0+ docker-compose --version
  3. go get -u github.com/google/keytransparency/...
  4. go get -u github.com/google/trillian/...
  5. ./scripts/prepare_server.sh -f


  1. Start Trillian
$ docker-compose up -d trillian-map trillian-log
Creating keytransparency_db_1
Creating  keytransparency_trillian-map_1
Creating  keytransparency_trillian-log_1
  1. Provision a log and a map
source scripts/configure_trillian.sh && createLog && createMap
  1. Run Key Transparency

Development and Testing

Key Transparency and its Trillian backend use a MySQL database, which must be setup in order for the Key Transparency tests to work.