Skip to content

Releases: notvcto/vwh

v2.0.2

15 Jun 23:05
@github-actions github-actions
v2.0.2
279728c
This commit was signed with the committer’s verified signature.
notvcto
SSH Key Fingerprint: 8lnjPn7yyJPRftiX3XGeCyWBl/mHBqGxRjGvwjbpENQ
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
v2.0.2 Latest
Latest 
Add registry commit signature check, vwh 2.0.2

Inspector now verifies the HEAD commit of notvcto/vwh-registry via
the GitHub API after a successful registry fetch. If the commit is
GPG-signed, [OK] Registry commit signed is shown. If unsigned, the
inspector warns, finds the last signed commit in the last 20, and
re-fetches keys.json and ledger.json at that SHA to use as fallback.
Check is skipped for --offline and custom --registry URLs.

vwh: 2.0.0 -> 2.0.1
Assets 5
Loading

v2.0.1

15 Jun 22:31
@github-actions github-actions
v2.0.1
ae09df5
This commit was signed with the committer’s verified signature.
notvcto
SSH Key Fingerprint: 8lnjPn7yyJPRftiX3XGeCyWBl/mHBqGxRjGvwjbpENQ
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
v2.0.1 
Add is_demo registry flag and ship V2 Frame Me challenge

- Inspector flags any key with is_demo=true as DEMO, independent of
  status (active/deprecated/revoked)
- Replace V1 demo identity with a dual signing+sealing keypair and a
  real sealed V2 reference artifact (challenge.vwh)
- Rewrite README Frame Me challenge for the V2 dual-signature model
- Strengthen vwh-core seal-signature tests to call crypto::verify()
  end-to-end (test-only, vwh-core stays 2.0.0)

vwh: 2.0.0 -> 2.0.1
Loading

v2.0.0

15 Jun 20:22
@github-actions github-actions
v2.0.0
0fdd451

Choose a tag to compare

View all tags
v2.0.0 
V2: dual-signature artifact format, key management overhaul
Loading

v1.0.2

11 Feb 16:43
@github-actions github-actions
v1.0.2
40aaa89

Choose a tag to compare

View all tags
v1.0.2

Release notes (v1.0.2)

  • Bump vwh to 1.0.2 and use v1 registry paths
Loading

v1.0.1

11 Feb 16:27
@github-actions github-actions
v1.0.1
8fa472d

Choose a tag to compare

View all tags
v1.0.1

Release notes (v1.0.1)

  • Detect VWH v2 artifacts and bump to 1.0.1
  • Add platform-specific binary names and usage
  • Add funding configuration for GitHub and custom links
  • Add version badge to README
  • Finalize v1.0.0 metadata and READMEs
  • Bump vwh crate to v1.0.1
Loading

v1.0.0

10 Feb 19:21
@github-actions github-actions
v1.0.0
fc0b6e2

Choose a tag to compare

View all tags
v1.0.0

VWH v1 Release Notes

Release date: 2026-02-10

Highlights

  • Public inspector (vwh) and core library (vwh-core) are production-ready for v1 artifacts.
  • Offline-first verification: signatures are always checked locally.
  • Advisory registry with keys.json and ledger-based artifact acknowledgment (ledger.json).
  • Clear trust output with ASCII-only markers for reliable rendering in all terminals.

What's Included

  • vwh CLI: public inspector for .vwh artifacts
  • vwh-core crate: binary format, signing/verification utilities
  • Man page for vwh and public documentation (README.md, SPEC.md)

Ledger Model (New)

The registry now uses ledger.json instead of revocations.json. The ledger is the public record of artifact acknowledgment and revocation:

{
  "version": 1,
  "updated_at": "ISO8601",
  "artifacts": [
    {
      "id": "32-char hex",
      "fingerprint": "64-char hex",
      "status": "active|revoked",
      "revoked_at": "ISO8601",
      "reason": "string"
    }
  ]
}

Inspector truth table:

  • Sealed + active ledger entry = verified, publicly acknowledged
  • Sealed + missing ledger entry = suspicious/unpublished
  • Draft + active ledger entry = verified (local state differs)
  • Any + revoked ledger entry = revoked

Upgrade Notes

  • If you previously used revocations.json, migrate to ledger.json.
  • Registry base URL remains the same; endpoints are now keys.json and ledger.json.

Build

cargo build --release

Binary locations:

  • macOS/Linux: target/release/vwh
  • Windows: target/release/vwh.exe

Release Assets

Prebuilt binaries:

  • vwh-linux-amd64 (Linux, x86_64, musl)
  • vwh-macos-arm64 (macOS, Apple Silicon)
  • vwh-windows-amd64.exe (Windows, x86_64)

Not Included

The private authoring tool (vwh-author) is intentionally not published in this repo, as mentioned in the previous release.

Loading

vwh v0.1.0-pre — Linux x86_64

09 Feb 17:35
@notvcto notvcto
v0.1.0-pre
93777cc
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
vwh v0.1.0-pre — Linux x86_64 Pre-release
Pre-release

This is the first public pre-release of vwh, a cryptographic artifact inspector for .vwh accountability files.

vwh allows anyone to inspect, verify, and validate the integrity and trust status of a .vwh artifact using:

  • Embedded cryptographic signatures
  • Public key fingerprints
  • A public, advisory revocation registry

This release supports:

  • Offline cryptographic verification
  • Online registry trust checks
  • Clear separation between integrity (math) and trust (registry state)

Platform Support

This release includes one prebuilt binary for:

  • Linux x86_64 (glibc)

Other platforms (Windows, macOS) are not yet supported and will be provided in future releases.

What This Release Is

  • A read-only inspector for .vwh artifacts
  • Intended for verification, auditing, and research
  • Suitable for CI, automation, and offline inspection

What This Release Is Not

  • No artifact authoring tools
  • No key generation or signing capabilities
  • No private or privileged functionality

Artifact creation and signing tools remain intentionally undistributed.

Version Status

  • Status: Pre-release (v0.1)
  • Registry format: v1
  • Binary format: v1

Breaking changes may occur before v1.0.

Loading