Reference CMS plugin for server-side content signing with HTMLTrust. Embeds cryptographic signatures into published content so that browsers and crawlers can verify authorship and integrity.
This is a companion to the HTMLTrust specification.
When an author publishes content, the plugin:
- Normalizes the content (strips markup, collapses whitespace) and computes a SHA-256 content hash
- Signs the hash via the HTMLTrust trust directory API using the author's private key
- Embeds the signature, author public key reference, and content hash into the published HTML
- Supports multiple author profiles, endorser profiles, and claim metadata (content type, license, AI involvement, etc.)
- Displays signature status on the frontend with verification controls
The repo is structured for multiple CMS implementations sharing common documentation and API contracts:
htmltrust-cms-reference/
├── README.md
├── docs/ # Shared across all CMS implementations
│ ├── developer-guide.md # Integration guide for building new CMS plugins
│ ├── user-guide.md # End-user documentation
│ └── html-protocol.md # The sig-* HTML attribute protocol specification
├── shared/
│ └── openapi.yaml # API contract that all CMS plugins implement against
├── wordpress/ # WordPress plugin implementation
│ ├── content-signing.php # Plugin entry point
│ ├── admin/ # WP admin pages (settings, profiles, meta boxes)
│ ├── includes/ # Core logic (API client, signing service, DB, hooks)
│ ├── public/ # Frontend display and verification UI
│ ├── tests/ # PHPUnit test suite
│ ├── languages/ # i18n translation templates
│ └── bin/ # Test environment setup scripts
└── (future: drupal/, joomla/, craft/, etc.)
- Create a new directory at the root (e.g.,
drupal/) - Implement against the API contract in
shared/openapi.yaml - Follow the HTML protocol in
docs/html-protocol.mdfor embedding signatures - Refer to
docs/developer-guide.mdfor integration patterns
- WordPress 5.0+
- PHP 7.0+
- A running HTMLTrust trust directory server
cd wordpress/
composer install # Install dev dependencies (PHPUnit, PHPCS)Then either:
- Symlink the
wordpress/directory into your WPwp-content/plugins/folder, or - Zip the
wordpress/directory and install via the WordPress admin
- Navigate to Settings → Content Signing in the WordPress admin
- Add a Server Profile pointing to your HTMLTrust trust directory server URL
- Create Author Profiles linking WordPress users to server-side author identities
- Enable signing for your desired post types
- Publish a post — it will be automatically signed
cd wordpress/
bin/install-wp-tests.sh wordpress_test root '' localhost latest
composer testSigned content is embedded using data attributes that the browser extension recognizes:
<signed-section keyid="did:web:author.example"
signature="BASE64_SIG" algorithm="ed25519"
content-hash="sha256:abc123...">
<article>
<h1>Verifiable Web Content</h1>
<p>Content should be provable...</p>
</article>
</signed-section>See docs/html-protocol.md for the full specification.
| Repository | Description |
|---|---|
| htmltrust-spec | The HTMLTrust specification and paper |
| htmltrust-server-reference | Reference trust directory API server |
| htmltrust-browser-reference | Reference browser extension for signature validation |
| htmltrust-website | Project website |
This project is licensed under the PolyForm Noncommercial License 1.0.0. You may use, modify, and share the software for any noncommercial purpose with attribution. Commercial use requires a separate agreement with the licensor.
HTMLTrust is an idea I (Jason Grey) have been chewing on since 2024. I'm not an academic — I'm an engineer with a day job and a family — so the spec, the reference implementations, and most of this prose have been written with significant help from AI tools acting as research assistant, technical writer, and pair programmer. I wrote the original architectural sketches and reviewed every line; the assistants filled in the gaps and saved me from re-typing the same explanation for the hundredth time.
Contributions are welcome — human or AI-assisted, doesn't matter to me. What matters is whether the code, the spec text, or the conformance vectors move the project forward. Open a PR.
What this project is not a forum for:
- Debates about whether AI should be used to write code or specifications.
- Opinions on who is or isn't trustworthy on the web.
- Politics, religion, professional practice, or personal philosophy.
HTMLTrust is a mechanism — a way for anyone to sign content they publish and for anyone to decide whom they trust, on their own terms. The project takes no position on what the right answers are; it just provides the tools. If you want to debate the answers, there are entire continents of the internet better suited to it.
If this work is useful to you and you'd like to support it, see GitHub Sponsors or the other channels in .github/FUNDING.yml.