Claimed or Attested? A Commit-Signature Dataset and Identity Trust Tiers across the World of Code
Summary
A new commit-signature axis dataset for the World of Code (WoC) V2604 collection has been released, enabling the distinction between claimed and cryptographically attested identities in Git commits. The V2604 corpus, comprising 5,866,595,698 commits, reveals that 17.59% (1,031,721,316 commits) carry a signature, predominantly PGP at 98.96%, with SSH (1.02%) and X.509/sigstore (0.02%) growing. This dataset includes `c2sigFull` (per-commit signature map), a gated `key2A/A2key` (key-to-author graph separating person keys from shared/CI keys), `A2trust` (per-identity attestation tiers), and a cryptographically grounded alias gold. The extraction method scans existing WoC commit tables, as `gpgsig` headers are already present in the message field. This axis serves as a precision anchor, calibrating heuristic alias maps and providing attestation provenance for science-to-software identity links, though signed commits skew towards security-conscious developers.
Key takeaway
For Research Scientists or Data Scientists working on identity resolution in large code corpora, you can now leverage cryptographic commit signatures to establish verifiable identity links. This moves beyond heuristic name-matching, providing a stronger foundation for linking software authors to scholarly publications or detecting impersonation. Integrate the `A2trust` dataset to add a principled confidence axis to your identity resolution, especially for high-stakes links or when identifying potentially fraudulent author strings.
Key insights
Cryptographic commit signatures provide a verifiable identity anchor, distinguishing attested from claimed author strings in large code corpora.
Principles
- Commit signatures offer a precision anchor for identity, not broad coverage.
- High-fanout keys often indicate shared organizational or CI identities.
- Attestation tiers provide a principled confidence axis for identity resolution.
Method
Extract commit signatures by scanning existing World of Code commit tables for "gpgsig" headers, which are already present in the message field, avoiding object database re-reads. Then, apply a key-fanout gate to separate person keys from shared keys.
In practice
- Use `A2trust` to assess identity confidence in WoC-scale studies.
- Calibrate heuristic alias maps using cryptographically grounded alias gold.
- Detect impersonation on vanity strings by identifying anomalous key dispersion.
Topics
- Commit Signatures
- Identity Resolution
- World of Code
- PGP
- SSH
- X.509
- Attestation Tiers
Code references
Best for: AI Scientist, Research Scientist, Data Scientist, Data Engineer
Related on AIssential
Editorial summary, takeaway, and curation by AIssential. Original article published by cs.SE updates on arXiv.org.