Title: ArchivioID
Author: mtnviewpro
Published: මාර්තු 24, 2026
Last modified: මාර්තු 24, 2026
---
Search plugins
# ArchivioID
By [mtnviewpro](https://profiles.wordpress.org/mtnviewpro/)
[Download](https://downloads.wordpress.org/plugin/archivioid.zip)
* [Details](https://si.wordpress.org/plugins/archivioid/#description)
* [Reviews](https://si.wordpress.org/plugins/archivioid/#reviews)
* [Installation](https://si.wordpress.org/plugins/archivioid/#installation)
* [Development](https://si.wordpress.org/plugins/archivioid/#developers)
[Support](https://wordpress.org/support/plugin/archivioid/)
## Description
**ArchivioID** is an add-on plugin for **ArchivioMD** that adds a full cryptographic
identity and signature layer to your WordPress site. It manages GPG public keys,
verifies detached OpenPGP signatures on posts, supports multi-signer workflows with
configurable thresholds, and exposes public proof pages so anyone can verify authenticity
without logging in.
#### Key Features
* **Public Key Management**: Store, manage, and rotate GPG public keys with expiry
tracking and administrator alerts
* **Post Signature Verification**: Upload detached .asc signature files for posts—
verified automatically using phpseclib v3
* **Browser-Based Signing**: Sign posts directly in the WordPress admin using a
browser-held key — no server-side key material required
* **Multi-Signature Workflows**: Collect signatures from multiple key holders on
a single post; each signer identified by key fingerprint and timestamp
* **Configurable Signature Threshold**: Require a minimum number of verified signatures
before a post displays the verified badge — configurable globally or per post
type
* **Algorithm Enforcement Floor**: Block weak signature algorithms (MD5, SHA-1)
and enforce minimum RSA/DSA key sizes at upload, REST submission, and re-verification
time
* **Automated Re-Verification**: Daily WP-Cron job re-verifies all signed posts
and flags content that has changed since signing
* **Key Expiry Notifications**: Email alerts at 30, 14, and 3 days before a key
expires, sent to the key owner or site admin
* **Key Rotation Workflow**: Admin UI for generating replacement keys, migrating
existing signatures, and retiring old keys
* **Bulk Verification**: Verify all signed posts in a single admin action with
per-post status reporting
* **REST API**: Full REST endpoint for programmatic signature submission, key retrieval,
and verification status
* **Key Server**: Publishes active public keys at a stable well-known endpoint
for external verifiers
* **Bundle Download**: Downloadable evidence package (hash, signatures, key fingerprints,
timestamps) for any post
* **Public Proof Pages**: Stable public permalink at `/archivio-id/verify/{post_id}`—
renders full chain of custody without requiring admin access
* **Audit Logging**: Immutable log of all verification attempts, key changes, and
rotation events
* **WP-CLI Support**: Full CLI interface for batch operations and automated pipelines
* **Visual Status Badges**: Front-end badge showing verified / unverified / threshold-
unmet status on every post
#### Requirements
* WordPress 6.0 or higher
* PHP 7.4 or higher (tested up to PHP 8.5)
* **ArchivioMD plugin version 1.5.0 or higher** (required parent plugin)
#### How It Works
1. Upload your GPG public key via the ArchivioID Key Management admin page
2. Create or edit a post in WordPress
3. Upload a detached .asc signature file for the post, or sign directly in the browser
4. ArchivioID verifies the signature immediately and on every subsequent automated
re-verify run
5. A verification badge appears on the front end; a public proof page is available
at a stable permalink
#### Technical Details
* Uses **phpseclib v3** for all cryptographic operations — no system GPG installation
required
* Uses **OpenPGP-PHP** for packet parsing and key handling
* All key material and signatures stored in dedicated WordPress database tables
* Algorithm enforcement floor consulted at upload, REST submission, and re-verification
time
* Multi-signature threshold evaluated before displaying the verified badge
* Public proof pages require no admin login — safe to share externally
* Fully WordPress coding standards compliant
#### External Services
This plugin can make outbound HTTP requests to the following third-party services.**
All external lookups are opt-in** and can be disabled under ArchivioID Settings
Key Server Lookup.
**keys.openpgp.org (VKS API)**
When an administrator uses the Key Management page
to look up a GPG public key by fingerprint or email address, the plugin sends a
GET request to `https://keys.openpgp.org/vks/v1/`. No personal data beyond the fingerprint
or email address entered by the administrator is transmitted. This request is made
only on explicit administrator action and only when the “Allow key server lookup”
setting is enabled. * Service: https://keys.openpgp.org * Privacy policy: https://
keys.openpgp.org/about/privacy
**WKD — Web Key Directory (user’s email domain)**
When an administrator looks up
a key by email address, the plugin may also query the Web Key Directory endpoint
on the domain portion of that email address (e.g. `https://example.com/.well-known/
openpgpkey/`). This follows the OpenPGP Web Key Directory specification (draft-koch-
openpgp-webkey-service). The request is made only on explicit administrator action
and only when key server lookup is enabled. * Specification: https://datatracker.
ietf.org/doc/draft-koch-openpgp-webkey-service/ * The domain contacted is determined
entirely by the email address the administrator enters; it is not a fixed third-
party service.
**Identity Proof URLs (user-supplied)**
Administrators may optionally store a public
identity proof URL alongside each key (for example, a Keyoxide or Keybase profile
page). These URLs are stored in the WordPress database and displayed as links in
the frontend badge tooltip. The plugin itself makes no outbound request to these
URLs; they are rendered as standard hyperlinks for visitors to follow voluntarily.*
Keyoxide: https://keyoxide.org * Keybase: https://keybase.io * Any HTTPS URL may
be entered; the plugin validates only that the value is a well-formed HTTPS URL.
### Source Code for Bundled Minified JavaScript
This plugin includes `assets/js/openpgp.min.js`, the minified build of **OpenPGP.
js**.
* **Project home**: https://openpgpjs.org
* **Source code**: https://github.com/openpgpjs/openpgpjs
* **License**: LGPL-3.0-or-later
* **Version used**: 5.x (see `assets/js/openpgp.min.js` file header for exact version)
To reproduce the minified file from source:
```
`
```
git clone https://github.com/openpgpjs/openpgpjs.git
cd openpgpjs npm install npm
run build # produces dist/openpgp.min.js `
Copy `dist/openpgp.min.js` to `assets/js/openpgp.min.js` in this plugin.
### Security
* All inputs sanitized and validated; all outputs escaped
* Nonce verification on all forms and AJAX handlers
* Capability checks (`manage_options`) on all admin actions
* REST API write endpoints require authentication
* SQL prepared statements throughout; no raw query interpolation
* Algorithm enforcement floor blocks known-weak cryptographic primitives
### Support
For support, please visit: https://mountainviewprovisions.com/archivio-id
### License
This plugin is licensed under GPLv2 or later.
## Installation
1. **Install ArchivioMD first** — ArchivioID will refuse to activate without it
2. Upload the `archivio-id` folder to `/wp-content/plugins/`
3. Activate the plugin through the Plugins menu in WordPress
4. Navigate to **Settings Permalinks** and click Save Changes (required for public
proof pages)
5. Go to **ArchivioID Key Management** to upload your first GPG public key
Or install directly from WordPress:
1. Go to Plugins Add New
2. Search for “ArchivioID”
3. Click Install Now then Activate
4. Flush permalinks via Settings Permalinks Save Changes
## FAQ
### What is ArchivioMD?
ArchivioMD is the parent plugin that provides cryptographic content hash verification,
external anchoring (RFC 3161 timestamps, Rekor transparency log, GitHub/GitLab),
and document management for WordPress. ArchivioID extends this with OpenPGP identity
and multi-signer workflows.
### Do I need GPG installed on my server?
No. ArchivioID uses phpseclib v3, a pure-PHP cryptographic library. No system GPG
installation, shell_exec, or command-line access is required.
### Can I verify signatures offline?
Yes. The bundle download and public proof page provide all data needed for offline
verification using standard GPG tools or any OpenPGP-compatible library.
### Does this plugin sign posts, or only verify?
Both. You can upload a detached signature created externally with GPG, or use the
in-admin browser-based signing feature to sign posts directly from the WordPress
editor without server-side key material.
### What is the signature threshold?
The threshold is a configurable minimum number of distinct verified signatures a
post must have before it displays the green verified badge. This supports editorial
workflows where a post must be signed off by multiple key holders before being considered
verified.
### What does the algorithm enforcement floor do?
It blocks signature files that use weak hash algorithms (MD5, SHA-1 by default)
or RSA/DSA keys below a minimum bit length. The floor is enforced at upload time,
REST submission time, and re-verification time — tightening the floor retroactively
re-evaluates existing signatures.
### What is the public proof page?
A stable, unauthenticated permalink at `/archivio-id/verify/{post_id}` that displays
the full verification chain for a post: content hash, each signer’s fingerprint,
algorithm, timestamp, and key metadata. Safe to share externally or link from a
published document.
### Is this compatible with other plugins?
ArchivioID uses WordPress standards, dedicated database tables, and does not modify
core files or other plugins’ data.
## Reviews
There are no reviews for this plugin.
## Contributors & Developers
“ArchivioID” is open source software. The following people have contributed to this
plugin.
Contributors
* [ mtnviewpro ](https://profiles.wordpress.org/mtnviewpro/)
[Translate “ArchivioID” into your language.](https://translate.wordpress.org/projects/wp-plugins/archivioid)
### Interested in development?
[Browse the code](https://plugins.trac.wordpress.org/browser/archivioid/), check
out the [SVN repository](https://plugins.svn.wordpress.org/archivioid/), or subscribe
to the [development log](https://plugins.trac.wordpress.org/log/archivioid/) by
[RSS](https://plugins.trac.wordpress.org/log/archivioid/?limit=100&mode=stop_on_copy&format=rss).
## Changelog
#### 5.1.0
* Added Public Proof Pages. A stable public permalink `/archivio-id/verify/{post_id}`
renders the full chain of custody for any published post — content hash, signer
fingerprints, algorithms, timestamps, and key metadata — without requiring admin
access. Private, draft, and password-protected posts return 404. Flush permalinks
after upgrading to activate the new route.
* Added Algorithm Enforcement Floor. A configurable policy blocks signature files
using weak hash algorithms (MD5, SHA-1 by default) and enforces minimum RSA/DSA
key sizes (2048 bits by default). Enforcement runs at upload, REST submission,
and automated re-verification time. Configurable from Settings Algorithm Policy.
* Added Multi-Signer Threshold Policy. A configurable minimum verified-signature
count must be met before a post displays the verified badge. Configurable globally
or per post type from Settings Signature Threshold.
* Fixed activation fatal error: `on_activate()` called `ArchivioID_Cron_Verifier::
schedule()` and `ArchivioID_Expiry_Notifier::schedule()` before those class files
were loaded. Both `on_activate()` and `on_deactivate()` now guard with `class_exists`
+ `require_once`.
* Fixed PHP parse error in `admin/views/settings.php` line 244: typographic apostrophe
inside a single-quoted string. Replaced with an escaped straight apostrophe.
#### 5.0.0
* Database schema version bump to 5.0.0.
* Added `identity_proof_url` column to the keys table — store a public URL alongside
each key as an optional identity assertion (e.g. a Keybase proof or GitHub profile).
* Added `sign_method` column to the signatures table tracking whether a signature
was file-uploaded, browser-signed, or REST-submitted.
* Added `sig_metadata` column to both the signatures table and the multi-signatures
table for structured per-signature provenance metadata.
* Signature type chips added to the front-end badge surfacing the sign_method for
each signature.
#### 4.0.0
* Added Key Expiry Notifier. A daily WP-Cron job checks all stored keys for upcoming
expiry and sends email alerts at 30, 14, and 3 days before the expiry date. Emails
are sent to the key’s recorded owner, falling back to the site admin.
* Added WP-CLI integration: `wp archivio-id verify-all`, `wp archivio-id key-list`,`
wp archivio-id key-expire `, `wp archivio-id prune-audit-log`.
* Added Bulk Verification admin page. Verify all signed posts in a single action
with a live progress table.
* Added Key Rotation admin UI for generating replacement keys, re-signing posts,
and retiring old keys without manual database operations.
#### 3.0.0
* Added Automated Re-Verification cron. A daily WP-Cron job re-verifies all posts
with stored signatures and flags any post whose content has changed since signing.
Scheduled on activation; unscheduled on deactivation.
* Added Bundle Download. A downloadable evidence package for any signed post containing
the canonical content hash, all .asc files, signer fingerprints, algorithms,
and timestamps.
#### 2.0.0
* Added Multi-Signature Store. Multiple key holders can independently sign the
same post; each (post_id, key_id) pair tracked in a dedicated `archivio_id_multi_sigs`
table with its own verification status and timestamp.
* Added REST API at `/wp-json/archivio-id/v1/` for programmatic signature submission,
key listing, and verification status. All write endpoints require authentication.
* Added Key Server. Active public keys published at a stable well-known endpoint
for external verifiers.
#### 1.3.1
* Improved OpenPGP packet parsing robustness. Hardened the verifier against malformed
or truncated .asc files.
* Improved error messages for unsupported key types and algorithm mismatches.
#### 1.3.0
* Added Browser-Based Signing. Sign post content directly in the admin using a
browser-held GPG key. The signing operation runs entirely client-side; only the
resulting detached signature is submitted to the server.
* Added dedicated browser signature database table (`archivio_id_browser_sigs`).
* Browser signing admin interface added under ArchivioID Browser Sign.
#### 1.2.0
* Packaging and compliance improvements for WordPress.org.
* Security hardening: added capability check to backend info AJAX handler.
* Improved error messages during plugin activation.
#### 1.1.0
* Complete UI layer implementation.
* Admin interfaces for key management and signature upload.
* Post meta box integration, front-end verification badge, AJAX handlers with nonce
protection.
* Database audit logging for all verification attempts.
#### 1.0.0
* Initial release.
* Core verification engine using phpseclib v3 and OpenPGP-PHP.
* GPG public key storage and detached .asc signature upload/verification per post.
## Meta
* Version **5.1.0**
* Last updated **සති 2ක් ago**
* Active installations **Fewer than 10**
* WordPress version ** 6.0 or higher **
* Tested up to **6.9.4**
* PHP version ** 7.4 or higher **
* Language
* [English (US)](https://wordpress.org/plugins/archivioid/)
* Tags
* [authenticity](https://si.wordpress.org/plugins/tags/authenticity/)[cryptography](https://si.wordpress.org/plugins/tags/cryptography/)
[digital signature](https://si.wordpress.org/plugins/tags/digital-signature/)
[openpgp](https://si.wordpress.org/plugins/tags/openpgp/)[security](https://si.wordpress.org/plugins/tags/security/)
* [Advanced View](https://si.wordpress.org/plugins/archivioid/advanced/)
## Ratings
No reviews have been submitted yet.
[Your review](https://wordpress.org/support/plugin/archivioid/reviews/#new-post)
[See all reviews](https://wordpress.org/support/plugin/archivioid/reviews/)
## Contributors
* [ mtnviewpro ](https://profiles.wordpress.org/mtnviewpro/)
## Support
Got something to say? Need help?
[View support forum](https://wordpress.org/support/plugin/archivioid/)