Skip to content
A transparent and secure way to look up public keys.
Branch: master
Clone or download
Latest commit edbb871 Mar 20, 2019
Type Name Latest commit message Commit time
Failed to load latest commit information.
cmd Transition off of deprecated gAPI.New (#1242) Mar 19, 2019
core Fix lint comment (#1243) Mar 20, 2019
deploy Fix CI (#1164) Jan 22, 2019
docs Remove references to tinkpb.Keyset (#1240) Mar 11, 2019
.env Update docker-compose paths (#1169) Feb 4, 2019
.golangci.yml Linter fixups (#1197) Feb 8, 2019
.gometalinter.json Remove Makefile and use standard gometalinter config (#1042) Sep 19, 2018
.keytransparency.yaml Simplify command line client flags (#738) Aug 12, 2017
AUTHORS Prevent protobuf nil pointer dereference (#600) Aug 8, 2017
LICENSE Add Licensing Jun 2, 2015 Added keyset-file flag tp specify file path and name (#1223) Feb 25, 2019
client_secrets.json.enc Fix gcloud install and deploy script (#1060) Oct 9, 2018
docker-compose.override.yml Move mysql expose port to override compose file (#1204) Feb 11, 2019
docker-compose.yml Move mysql expose port to override compose file (#1204) Feb 11, 2019

Key Transparency

GoDoc Build Status Go Report Card codecov

Key Transparency Logo

Key Transparency provides a lookup service for generic records and a public, tamper-proof audit log of all record changes. While being publicly auditable, individual records are only revealed in response to queries for specific IDs.

Key Transparency can be used as a public key discovery service to authenticate users and provides a mechanism to keep the service accountable. It can be used by account owners to reliably see what keys have been associated with their account, and it can be used by senders to see how long an account has been active and stable before trusting it.

Key Transparency is inspired by CONIKS and Certificate Transparency. It is a work-in-progress with the following milestones under development.

Key Transparency Client


  1. Install Go 1.10.
  2. go get -u

Client operations

Generate a private key

keytransparency-client authorized-keys create-keyset --password=${PASSWORD}
keytransparency-client authorized-keys list-keyset --password=${PASSWORD}

The create-keyset command will create a .keyset file in the user's working directory. To specify custom directory use --keyset-file or --kf shortcut.

NB A default for the Key Transparency server URL is being used here. The default value is "". The flag --kt-url may be used to specify the URL of Key Transparency server explicitly.

Publish the public key

  1. Get an OAuth client ID and download the generated JSON file to client_secret.json.
keytransparency-client post \
--client-secret=client_secret.json \
--insecure \
--password=${PASSWORD} \
--data='dGVzdA==' #Base64

Get and verify a public key

keytransparency-client get <email> --insecure --verbose
✓ Commitment verified.
✓ VRF verified.
✓ Sparse tree proof verified.
✓ Signed Map Head signature verified.
CT ✓ STH signature verified.
CT ✓ Consistency proof verified.
CT   New trusted STH: 2016-09-12 15:31:19.547 -0700 PDT
CT ✓ SCT signature verified. Saving SCT for future inclusion proof verification.
✓ Signed Map Head CT inclusion proof verified.
keys:<key:"app1" value:"test" >

Verify key history

keytransparency-client history <email> --insecure
Revision |Timestamp                    |Profile
4        |Mon Sep 12 22:23:54 UTC 2016 |keys:<key:"app1" value:"test" >


Running the server

  1. OpenSSL
  2. Docker
    • Docker Engine 1.13.0+ docker version -f '{{.Server.APIVersion}}'
    • Docker Compose 1.11.0+ docker-compose --version
go get -u
go get -u
cd $(go env GOPATH)/src/
./scripts/ -f
docker-compose up -f docker-compose.yml
  1. Watch it Run

Development and Testing

Key Transparency and its Trillian backend use a MySQL database, which must be setup in order for the Key Transparency tests to work.

docker-compose up -d db will launch the database in the background.

Directory structure

The directory structure of Key Transparency is as follows:


You can’t perform that action at this time.