Archivio v1.17.6

= 1.17.6 =

• Fixed broken saves for JSON-LD / W3C Data Integrity, DANE / DNS Key Corroboration, and ECDSA signing settings: all 19 AJAX calls in those sections referenced archivioPostAdmin.ajaxUrl and archivioPostAdmin.nonce, but archivioPostAdmin was never defined via wp_localize_script. The undefined object caused a silent JavaScript error before any request could fire, leaving the save button permanently stuck on "Saving…". All references corrected to archivioPostData, which is properly localized and carries the correct nonce.

= 1.17.5 =

• Fixed version mismatch: plugin header Version and MDSM_VERSION constant were stuck at 1.16.0 across the 1.17.x release series. Both now correctly read 1.17.5 and match the readme Stable tag.
• Fixed PHP notice and cascading header errors on WordPress 6.7+: load_plugin_textdomain() was never called despite the Text Domain: archiviomd header declaration. WordPress 6.7 introduced stricter enforcement of translation-loading timing; the missing call caused an early-load notice that output text before headers were sent, triggering Cannot modify header information warnings on admin pages. Translation loading is now correctly deferred to the init action.

= 1.17.3 =

• Added /.well-known/archiviomd-dns-spec.json — a machine-readable, self-contained specification for the amd1 TXT record format, the TLSA profile, the canonical message format, and the end-to-end verification flow.
• archiviomd-dns.json now includes a spec_url field pointing to the spec endpoint.

= 1.17.2 =

• Added TLSA cert-expiry staleness warning (≤ 30 days warns, expired errors).
• Added ARCHIVIOMD_DANE_TTL constant; TTL now configurable and used consistently across rotation threshold, admin UI, and Cache-Control headers.
• Added ETag / If-None-Match / 304 conditional response support to the discovery endpoint.
• Fixed discovery endpoint returning HTTP 404 when DANE disabled — now returns HTTP 200 with {"enabled":false} so verifiers can distinguish module-off from a wrong URL.
• Fixed DoH network timeout surfacing as a false "DNSSEC not validated" admin notice.

= 1.17.1 =

• Added TLSA / DANE-EE support (RFC 6698) for the ECDSA P-256 certificate. Selector=1 (SubjectPublicKeyInfo) so the record survives certificate renewal without a key change.
• Added copy-to-clipboard buttons for all DNS TXT record values in the admin UI.
• Fixed Cache-Control bug in the discovery endpoint that overwrote the intended public, max-age=3600 header.
• Added --enable and --disable flags to wp archiviomd dane-check.

= 1.17.0 =

• Added DANE / DNS Key Corroboration. Publishes Ed25519, SLH-DSA, ECDSA P-256, and RSA public keys as DNSSEC-protected DNS TXT records in the custom amd1 format. DoH-based health checks, weekly passive cron, key rotation workflow, machine-readable discovery endpoint at /.well-known/archiviomd-dns.json, JSON-LD integration, and WP-CLI wp archiviomd dane-check.

= 1.16.0 =

• Added RSA Compatibility Signing (Extended Format). RSA-PSS/SHA-256 (recommended) and PKCS#1 v1.5/SHA-256. Minimum key size 2048 bits enforced. Public key published at /.well-known/rsa-pubkey.pem.
• Added CMS / PKCS#7 Detached Signatures (Extended Format). DER blob importable directly into Adobe Acrobat and enterprise DMS platforms as .p7s. Reuses existing ECDSA or RSA key.
• Added JSON-LD / W3C Data Integrity Proofs (Extended Format). Cryptosuites eddsa-rdfc-2022 and ecdsa-rdfc-2019. DID document at /.well-known/did.json.
• All three new methods are opt-in, disabled by default, and sign the same canonical message as all other methods.

= 1.15.0 =

• Added ECDSA P-256 document signing (Enterprise / Compliance Mode). Nonce generation delegated entirely to OpenSSL. Certificate validated on every signing operation. Private keys stored outside DOCUMENT_ROOT, chmod 0600. Leaf certificate published at /.well-known/ecdsa-cert.pem.

= 1.14.0 =

• Added SLH-DSA (SPHINCS+) post-quantum document signing — NIST FIPS 205, pure PHP, no extensions or Composer dependencies. Four parameter sets: SHA2-128s (default), SHA2-128f, SHA2-192s, SHA2-256s. Hybrid mode with Ed25519 via shared DSSE envelope.

= 1.13.1 =

• Fixed SSRF in the URL decoder (ajax_decode_url()): hostname now resolved via dns_get_record() with full private/loopback range rejection and cURL IP pinning to prevent TOCTOU.
• Fixed rate limiter bypass via X-Forwarded-For: now uses rightmost IP with private-range validation, falls back to REMOTE_ADDR.
• Fixed evidence receipts signed over arbitrary POST data: handler now fetches the authoritative server-written log row by ID.
• Fixed key rotation warning that could not be dismissed (wrong option key names in delete calls).
• Fixed three canary option keys missing from the site-specific obfuscation map (fell through to a site-agnostic fallback, defeating the scheme).
• Fixed ReDoS in extract_main_content(): input capped at 2 MB; DOMDocument used as primary extractor; regex fallback uses bounded quantifiers.
• Removed sslverify => false from all outbound fetches.
• Added persistent admin notice when ARCHIVIOMD_HMAC_KEY is not defined in wp-config.php.

= 1.13.0 =

• Added Ch.13 (Sentence-count parity) and Ch.14 (Word-count parity) structural fingerprinting channels — CDN-proof, survive Unicode normalisation.
• Added Cache-Control: no-transform header on all fingerprinted responses.
• Renamed REST endpoints from archiviomd/v1/canary-check to content/v1/verify to reduce plugin fingerprinting via API enumeration.
• Added .htaccess to plugin root blocking direct HTTP access to .php, .txt, .json, and other source files.
• Added key-derived pair selection for Ch.5/6/8/9: active dictionary subset is site-specific, making adversarial reversal equivalent to key brute-force.
• Added wp_options key obfuscation for all Canary Token settings.

= 1.12.0 =

• Added Cache Compatibility Layer. Detects and repairs Unicode fingerprint stripping by WP Super Cache, W3 Total Cache, LiteSpeed Cache, WP Rocket, and other HTML-minifying caching plugins — no caching plugin configuration required.

= 1.11.0 =

• Added Canary Token channels Ch.8–Ch.12: Spelling Variants (60+ British/American pairs), Hyphenation Choices (30+ compound pairs), Number/Date Style, Punctuation Style II, Citation/Title Style.

= 1.10.0 =

• Added REST API fingerprinting (closes WP REST API scraping path).
• Added rate limiting on public verification endpoint (60 req/min; HTTP 429).
• Added Key Health Monitor with persistent admin notice on HMAC key change.
• Added Discovery Log (wp_archivio_canary_log) with CSV export.
• Added Signed Evidence Package — .sig.json receipt with SHA-256 + optional Ed25519 signature for each decode event.
• Added Re-fingerprint All Posts bulk action (single atomic SQL upsert).
• Added Canary Coverage meta box on the post edit screen.
• Added Ch.7 (Punctuation Choice: Oxford comma, em-dash/parentheses).
• Added URL Decoder and DMCA Notice Generator tabs.

= 1.9.0 =

• Added Ch.5 (Contraction Encoding) and Ch.6 (Synonym Substitution) to the Canary Token semantic layer. Both opt-in, disabled by default.

= 1.8.0 =

• Added Canary Token steganographic content fingerprinting (opt-in, disabled by default). 112-bit HMAC-authenticated payload across four Unicode channels with majority-vote redundancy.

Archivio v1.7.0

= 1.7.0 =

Added Sigstore / Rekor transparency log as a fourth anchor provider. Every anchor job can simultaneously submit a hashedrekord v0.0.1 entry to the public Rekor log (rekor.sigstore.dev) alongside GitHub, GitLab, and RFC 3161.
Rekor entries include embedded provenance metadata: site URL, document ID, post type, hash algorithm, plugin version, public key fingerprint, and key type (site long-lived or ephemeral).
When site Ed25519 keys are configured, entries are signed with the long-lived key; the public key fingerprint links to /.well-known/ed25519-pubkey.txt for independent verification. Without site keys, a per-submission ephemeral keypair is generated automatically via PHP Sodium — the content hash is still immutably logged.
Added inline Rekor Activity Log with live "Verify" button — fetches inclusion proof directly from the Rekor API without leaving the admin.
Added Rekor / Sigstore submenu page with server requirements checklist, settings toggle, Test Connection button (read-only GET, no dummy entries written), and scoped activity log.
Expanded hash algorithm library. New standard algorithms: SHA-224, SHA-384, SHA-512/224, SHA-512/256, BLAKE2s-256, SHA-256d, RIPEMD-160, Whirlpool-512. New extended algorithms: GOST R 34.11-94, GOST R 34.11-94 (CryptoPro). Legacy algorithms available but not recommended: MD5, SHA-1.
Rekor is optional and disabled by default. Requires ext-sodium (standard since PHP 7.2) and ext-openssl.

= 1.6.8 =

Added DSSE (Dead Simple Signing Envelope) mode to Ed25519 Document Signing, per the Sigstore DSSE specification.
When enabled, every post and media signature is wrapped in a structured JSON envelope stored in the _mdsm_ed25519_dsse post meta key. The bare hex signature in _mdsm_ed25519_sig is always written alongside — all existing verifiers continue to work without migration.
Envelope format: { "payload": base64(canonical_msg), "payloadType": "application/vnd.archiviomd.document", "signatures": [{ "keyid": sha256_hex(pubkey_bytes), "sig": base64(sig_bytes) }] }.
Signing is over the DSSE Pre-Authentication Encoding (PAE) — prevents cross-protocol signature confusion attacks.
Added sign_dsse(), verify_dsse(), verify_post_dsse(), public_key_fingerprint(), is_dsse_enabled(), and set_dsse_mode() public static methods.
DSSE Envelope Mode toggle added to Cryptographic Verification settings, nested beneath the Ed25519 card. Disabled until Ed25519 is fully configured and active.
Verification files downloaded from the badge now include the full DSSE envelope plus step-by-step offline verification instructions.
Media attachments receive DSSE envelopes when DSSE mode is on.

= 1.6.7 =

Added Signed Export Receipts to all three compliance export types: Metadata CSV, Compliance JSON, and Backup ZIP.
Every export generates a companion .sig.json integrity receipt containing: SHA-256 hash of the exported file, export type, filename, generation timestamp (UTC), site URL, plugin version, and generating user ID.
When Ed25519 Document Signing is configured, the receipt includes a detached Ed25519 signature binding all fields — preventing replay against a different file or context.
"Download Signature" button appears inline after each successful export.

= 1.6.6 =

Fixed verification badge download failing on sites with WP_DEBUG enabled. Root cause: RFC 3161 cross-reference query ran without first checking the anchor log table exists. Fix: added SHOW TABLES existence check and wrapped with wpdb->suppress_errors().
Added ads.txt, app-ads.txt, sellers.json, and ai.txt to SEO Files section.
Added Ed25519 Document Signing. Private key in wp-config.php, public key at /.well-known/ed25519-pubkey.txt, in-browser keypair generator included.

= 1.6.5 =

Fixed fatal PHP parse error from unescaped apostrophe in DigiCert TSA profile notes string.
Fixed fatal load-order error where RFC 3161 provider class was required before its interface was defined.
Fixed undefined variable $settings inside store_tsr().

= 1.6.4 =

Added multi-provider anchoring: RFC 3161 and Git can now run simultaneously on every anchor job.
Each provider tracked independently — failure or rate-limiting of one does not block the other.
Each provider writes its own entry to the Anchor Activity Log.
Existing single-provider installations migrated automatically on next settings read.

= 1.6.3 =

Added structured Compliance JSON export.
Preserves full relationships between posts, hash history, anchor log entries, and inlined RFC 3161 TSR manifests.
Suitable for legal evidence packages, compliance audits, and SIEM ingestion.

= 1.6.2 =

Fixed redundant double hash computation in HTML anchoring.
Added admin notice when anchor jobs permanently fail after all retries.
TSR and TSQ files now blocked from direct HTTP access via .htaccess; served via authenticated download handler.
Verification file download now includes RFC 3161 timestamp details when available.
Scheduled posts correctly anchored when they go live.
Added WP-CLI commands: process-queue, anchor-post, verify, prune-log.
Added configurable log retention (default 90 days) with automatic daily pruning.

= 1.6.1 =

Hardened anchor queue against concurrent processing on high-traffic sites.
Added queue size cap to prevent unbounded option row growth.

= 1.6.0 =

Added RFC 3161 trusted timestamping support.
Four built-in TSA providers: FreeTSA.org, DigiCert, GlobalSign, Sectigo. Custom endpoint supported.
Timestamp tokens (.tsr files) stored locally for independent offline verification.

Archivio v1.5.9

Security & stability improvements

• Fixed input handling and output escaping
• Enqueued scripts and styles correctly
• Corrected readme instructions for installation
• Tested and verified for secure usage

Verification Badge System

• Visual badges on posts and pages showing integrity status
• Three states: ✓ Verified (green), ✗ Unverified (red), − Not Signed (gray)
• Automatic display below titles or content
• Manual placement via [hash_verify] shortcode
• Downloadable verification files for offline confirmation

Supported Hash Algorithms

Standard Algorithms:

• SHA-256 (default)
• SHA-512
• SHA3-256
• SHA3-512
• BLAKE2b

Experimental Algorithms:

• BLAKE3 (requires PHP extension)
• SHAKE128-256
• SHAKE256-512

All algorithms supported in both:

• Post/page hash generation
• Markdown file hash verification
• HTML rendering hash preservation

HMAC Integrity Mode

Add authentication to content verification:

// Add to wp-config.php
define('ARCHIVIOMD_HMAC_KEY', 'your-secret-key');

HMAC mode provides:

• Content integrity: Proves content hasn't changed
• Authenticity: Proves hash was created by key holder
• Tamper detection: Any modification invalidates the hash
• Key-based verification: Offline verification requires secret key

Enable HMAC in Cryptographic Verification → Settings → Enable HMAC Mode

🔗 External Anchoring (Remote Distribution Chain)

Distribute cryptographic integrity records to Git repositories for tamper-evident audit trails.

Supported Providers

• GitHub (public and private repositories)
• GitLab (public and private repositories including self-hosted)

How It Works

1. Content is published or updated
2. Cryptographic hash is generated
3. JSON anchor record is created with:
   • Document/Post ID
   • Hash algorithm and value
   • HMAC value (if enabled)
   • Author ID
   • Timestamp
   • Plugin version
4. Record queued for distribution
5. WP-Cron pushes to GitHub/GitLab every 5 minutes
6. Git commit provides immutable timestamp
7. Creates tamper-evident chain of integrity records

Anchor Record Format

{
  "document_id": "security.txt.md",
  "post_id": 123,
  "post_type": "post",
  "hash_algorithm": "sha256",
  "hash_value": "a3f5b8c2d9e1f4a7...",
  "hmac_value": "b7c6d8e2f1a4b7c6..." (if HMAC enabled),
  "author_id": 1,
  "timestamp": "2026-02-15T12:05:30Z",
  "plugin_version": "1.5.9",
  "integrity_mode": "hmac"
}

Benefits

• Tamper-evident: Git commits prove when hashes were created
• Distributed verification: Anyone can verify via Git history
• Automatic backups: Integrity records preserved off-site
• Audit compliance: Immutable chain for regulatory requirements
• Public transparency: Optional public repository for trust

Audit Logging

All hash generation and verification events logged to database:

• Post ID and type
• Hash algorithm and mode
• Event type (auto_generate, manual_verify)
• Result (success, failure, fallback)
• Timestamp

Export logs to CSV via admin interface.

Content Canonicalization

Consistent hashing requires normalized content:

• Line endings: LF (\n)
• Whitespace: Trimmed
• Format: post_id:X\nauthor_id:Y\ncontent:\n{content}

Cron Schedule

External anchoring uses WP-Cron:

• Frequency: Every 5 minutes
• Batch size: 10 records per execution
• Retry logic: Exponential backoff on failure

---

Security Considerations

HMAC Key Management

• Generate strong keys: 32+ random characters
• Store securely: Only in wp-config.php
• Never commit: Add to .gitignore
• Rotate on compromise: Rehash all content

Token Security

• Minimum permissions: Only required scopes
• Regular rotation: Update tokens periodically
• Secure storage: WordPress database (encrypted)
• Audit access: Monitor repository for unauthorized changes