Claimed or Attested? A Commit-Signature Dataset and Identity Trust Tiers across the World of Code

· Source: cs.SE updates on arXiv.org · Field: Technology & Digital — Software Development & Engineering, Data Science & Analytics, Cybersecurity & Data Privacy · Depth: Expert, extended

Summary

A new commit-signature axis dataset for the World of Code (WoC) V2604 collection has been released, enabling the distinction between claimed and cryptographically attested identities in Git commits. The V2604 corpus, comprising 5,866,595,698 commits, reveals that 17.59% (1,031,721,316 commits) carry a signature, predominantly PGP at 98.96%, with SSH (1.02%) and X.509/sigstore (0.02%) growing. This dataset includes `c2sigFull` (per-commit signature map), a gated `key2A/A2key` (key-to-author graph separating person keys from shared/CI keys), `A2trust` (per-identity attestation tiers), and a cryptographically grounded alias gold. The extraction method scans existing WoC commit tables, as `gpgsig` headers are already present in the message field. This axis serves as a precision anchor, calibrating heuristic alias maps and providing attestation provenance for science-to-software identity links, though signed commits skew towards security-conscious developers.

Key takeaway

For Research Scientists or Data Scientists working on identity resolution in large code corpora, you can now leverage cryptographic commit signatures to establish verifiable identity links. This moves beyond heuristic name-matching, providing a stronger foundation for linking software authors to scholarly publications or detecting impersonation. Integrate the `A2trust` dataset to add a principled confidence axis to your identity resolution, especially for high-stakes links or when identifying potentially fraudulent author strings.

Key insights

Cryptographic commit signatures provide a verifiable identity anchor, distinguishing attested from claimed author strings in large code corpora.

Principles

Method

Extract commit signatures by scanning existing World of Code commit tables for "gpgsig" headers, which are already present in the message field, avoiding object database re-reads. Then, apply a key-fanout gate to separate person keys from shared keys.

In practice

Topics

Code references

Best for: AI Scientist, Research Scientist, Data Scientist, Data Engineer

Related on AIssential

Open in AIssential →

Editorial summary, takeaway, and curation by AIssential. Original article published by cs.SE updates on arXiv.org.