Displace Technologies LLC · canonical: https://keys.displace.tech
This page lists every ed25519 signing key ever used to sign Attestable evidence
packs, its current status, and the files needed to verify a pack offline. Keys
are never reused and never removed from this list, including after rotation or
revocation. See verify.sh for the
standalone verifier.
| key_id | status | created | valid_from | valid_to | fingerprint (SHA-256 of pubkey file) |
|---|---|---|---|---|---|
attestable-2026-a |
active | 2026-07-16 |
2026-07-20 |
2027-07-20 |
cd7b4528a78ec5085942632c7808a5b08e2cbce084b69b6aa6960d9674088710 |
Note: the fingerprint above reads cd7b4528a78ec5085942632c7808a5b08e2cbce084b69b6aa6960d9674088710
until the key is minted offline per spec §2 and this page, keys.json,
and keys.json.minisig are updated and re-signed together. Do not trust
a pack pinned against this key until the real fingerprint is published here.
Separately, this key does not become valid until valid_from
(2026-07-20), and expires at valid_to
(2027-07-20): a pack timestamped outside that window will fail the
manifest check in verify.sh even if every signature is otherwise
intact.
attestable-2026-a.pub — public key (minisign format)attestable-2026-a.pub.ots — OpenTimestamps existence proof for the pubkey filekeys.json — machine-readable manifest of all keyskeys.json.minisig — detached signature over keys.json by the newest active keyverify.sh — standalone POSIX-shell evidence pack verifierverify.sh.minisig — detached signature over verify.sh by the newest active key
Revocation notices, if any are ever issued, are published at
/revocations/revocation-<key_id>.txt and linked from the
affected key's row above once they exist.
Published verbatim from SPEC_Attestable_Key_Publication.md §7:
Keys are never reused. Each key is valid for one year from its
valid_fromdate and is rotated on schedule at expiry; rotation also occurs early on suspected compromise, custody change, or major infrastructure change. On rotation, the outgoing key is markedretiredwith its validity window; signatures made within that window remain valid indefinitely. On compromise, the key is markedrevokedin keys.json with a dated, reasoned revocation notice signed by the successor key; packs signed under a revoked key are re-issued under the successor on request at no charge. All keys ever published remain listed and their pubkey files remain available permanently.
This site is deployed directly from the public mirror repository
DisplaceTech/attestable-keys — the site and the mirror are
the same source and cannot diverge. Git history on that repository, GitHub's
independent hosting, and the OpenTimestamps proofs above jointly establish
that each key existed, unchanged, since the date shown — without
requiring trust in Displace's server.