Verifiable anonymity
Every signature proves a commit came from one member of a known contributor ring — without naming the signer. Verification confirms legitimacy, nothing else.
version 0.1.1
live · —LSAG ring signatures over secp256k1.
Anonymity for contributors. Proof for everyone else.
Anonymous attribution forGHOSTgit commits.
Sign a commit as one of N declared contributors. Verifiers can prove the commit came from your trusted set, but cannot tell which member signed. Same git, same trailers, same workflow — with cryptographic anonymity layered on top.
Understanding
What isgitghost?
Today, commit attribution is binary. Either you expose your identity publicly, or your contribution becomes unverifiable. gitghost introduces a third option: anonymous but cryptographically provable authorship.
Linkable signatures
Repeated signers produce a stable key image, so reviewers can track contribution patterns across a codebase even when individual identities remain hidden.
No coordinator, no fork
No trusted authority. No setup ceremony. No central coordinator. The CLI signs commits locally, and proofs travel as standard git commit trailers your tooling already understands.
How it works
Form, sign,verify.
Three steps, no infrastructure: declare your contributor set, sign your commit locally, and let anyone verify the proof against the same math.
01
Defining
Form your ring
Pull contributors' public SSH keys from github.com/<user>.keys and derive deterministic ghost keys from them. The ring is a public commitment of who could have signed; the signer inside it stays indistinguishable.
02
Signing
Sign locally
Run a single CLI command. gitghost generates an LSAG signature over secp256k1 against your local secret and writes it as a standard commit trailer. The signing step itself is fully offline — no coordinator, no remote service.
03
Verifying
Prove and audit
Anyone can verify ring membership, signature integrity, and ring-root consistency, and surface the key image for reuse detection — via the public verifier API or locally via the CLI. Trust assumptions: zero.
Your advantage
Why teamschoose gitghost.
Cryptographic transparency
gitghost makes anonymous attribution easy to communicate beyond your team. Every claim is backed by a deterministic proof, exportable and auditable, so legitimacy is never a debate.
Minimal surface area
Built to be used by any team. No browser extension, no custom git fork, no centralized coordinator — just a CLI, a verifier, and standard commit trailers your tools already understand.
Universal commit trailers
Proofs travel as RFC-5322 commit trailers. Any git host preserves them — GitHub, GitLab, Codeberg, self-hosted. Verification works against any commit you can read; the public verifier currently fetches commits from GitHub or accepts raw paste.
Real cryptographic record
Every signature on this site is a real LSAG signature, signed by the same CLI we ship. Try it: the verifier accepts the live demo commit and runs the full proof in front of you.
In practice
One CLI.One verifier.
Two surfaces, no infrastructure. Sign locally with the CLI, verify against the public API or locally — same math, same result. Proofs travel as standard git commit trailers.
~/project / main
$ ▍ › $ $ $ $ $ › › › $ [ok] [ok] [ok] [ok]
Find your
Audience.Built for the work.
gitghost is built for the people responsible for how open-source contribution is signed, trusted and protected.
lsag01
Security researchers
Submit anonymous vulnerability patches without exposing the researcher behind them. Provable authorship, hidden identity.
lsag · ring of n/ 01
lsag02
Open-source maintainers
Declare your contributor ring once. Audit incoming patches by ring root, without ever needing to know which specific contributor authored each one.
lsag · ring of n/ 02
lsag03
Whistleblowers & reporters
Plausible deniability built in. Disclosure paths that survive adversarial scrutiny without surrendering identity.
lsag · ring of n/ 03
lsag04
Sensitive infrastructure
Protect contributors operating in hostile jurisdictions. Cryptographic accountability — accountability, not surveillance.
lsag · ring of n/ 04
drag to explore
What you get
Benefits forcontributors.
Most attribution products force a choice between visibility and protection. gitghost gives you both — plus, at Bankr launch, a collective reward layer for the rings that ship.
Ship without exposure
Disclose vulnerabilities, contribute from hostile jurisdictions, or submit sensitive patches without surrendering identity. The proof of authorship travels with the commit, the identity does not.
Provable, not plausible
Anonymous and cryptographically verifiable at the same time. Reviewers see signed-by-trusted-set, not a random anonymous commit, so contributions still get treated as legitimate.
Reputation without ID
The same key image surfaces every time you sign in a ring, so consistent contributors build credibility across commits — without ever revealing who they are.
Zero infrastructure
No accounts, no extension, no custom git fork, no central coordinator. A CLI, a verifier, and standard commit trailers your tools already understand.
soon/ ring rewards
Rings that ship,
earn together.
At Bankr launch we're committing 5% of token supply to a contributor reward pool. When you ship a ghost commit, the reward flows to the ring's treasury — collective, not personal. Anonymity stays intact by construction.
- 5%of supply
Allocated to ring rewards from the Bankr launch — credibly committed before any contract goes live.
- ringtreasury, not signer
Rewards distribute to the ring, not to the signing wallet — preserving the threat model that makes the protocol useful.
- claimwithout de-anon
Claim via ring governance or anonymous proof. No on-chain trail back from token transfer to ghost commit.
Reward design is privacy-first by default. Mechanism, claim process, and anti-sybil are documented before launch.
Take control
Don't pick betweenidentity and proof.
Today commit attribution is binary: ship with your name attached or ship unverifiable. gitghost adds a third option — cryptographic proof that a commit came from a trusted contributor set, with the signer's identity hidden by construction.
4Public rings
15Ring members
All gitHosts supported
0Trusted authorities
Counts are live from the public registry. Pre-launch — numbers grow as rings publish.
Live registry
Featuredrings.
Each ring is a deterministic hash of its members' public keys. Anyone can recompute and verify locally — no trust in this index required.
Open registry/ 01
node-runtime/historic
Historic Node.js core authors and runtime contributors. Useful for runtime-level vulnerability disclosures where attribution must be provable but identity must remain private.
5 membersruntime
/ 02linux-kernel/core
Subset of long-time Linux kernel maintainers. Demonstrates how a high-trust contributor set could expose anonymous attribution without revealing which maintainer signed.
4 memberskernel
/ 03frontend/frameworks
A demonstration ring built from public maintainer keys across several frontend ecosystems. Shows how cross-project anonymous attribution would work in practice.
3 membersfrontend
/ 04privacy/engineering
A privacy-engineering attribution set: people whose public work touches anonymity, secure messaging, and adversarial threat models. Designed for sensitive disclosures.
3 membersprivacy
gitghost
Cryptographic proof of authorship without surrendering identity. A CLI to sign, a verifier to audit, and standard commit trailers your tools already understand.