udriveudrive

Core concepts

Provenance & signing

Sign a file with your Solana wallet to cryptographically attest you are its source. The statement binds the name, size, and SHA-256, so any tampering invalidates the proof — and anyone can re-verify it.

What signing proves

Provenance signing lets the uploader attest, cryptographically, that a specific wallet vouches for a specific file. The wallet signs a deterministic statementthat embeds the file's name, byte size, and SHA-256 digest. Because the digest is part of the signed bytes, the signature is only valid for those exact contents — change a single byte and verification fails.

  • Proves which wallet claims authorship of the file.
  • Proves the file has not been altered since it was signed.
  • Is re-verifiable by anyone, forever, with no trust in udrive.

The provenance statement

The statement is canonical and reconstructable from the stored file fields, which is what makes later re-verification possible.

provenance statement
udrive file provenance
name: dataset.csv
sha256: 9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08
size: 20480
signer: 7xKEh…Pu8Z
signed_at: 2026-06-25T18:04:11.000Z

Note

The signed_at timestamp is inside the signed bytes, so the attestation carries its own tamper-evident time anchor.

Signing a file

Sign during upload — toggle “Sign with wallet” on the upload screen, or do it programmatically and pass the proof to /api/upload/complete.

  1. Compute the file's SHA-256 digest.
  2. Build the provenance statement from name, digest, size, signer, and timestamp.
  3. Sign the statement bytes with the wallet.
  4. Submit signed, signerPubkey, signature, and signedStatement on complete.
sign-on-complete.tsTypeScript
import bs58 from "bs58";

const statement = [
  "udrive file provenance",
  `name: ${name}`,
  `sha256: ${sha256}`,
  `size: ${size}`,
  `signer: ${pubkey}`,
  `signed_at: ${new Date().toISOString()}`,
].join("\n");

const { signature } = await wallet.signMessage(
  new TextEncoder().encode(statement),
);

await fetch("/api/upload/complete", {
  method: "POST",
  headers: { "content-type": "application/json" },
  body: JSON.stringify({
    fileId,
    sha256,
    signed: true,
    signerPubkey: pubkey,
    signature: bs58.encode(signature),
    signedStatement: statement,
  }),
});

Warning

The server independently verifies the signature on complete. If the signature, signer, or statement don't line up, the file is still stored but is not marked as signed.

Verifying a file

Anyone can re-verify a signed file. The endpoint re-checks the ed25519 signature over the stored statement andconfirms the statement's claimed name, size, and digest still match the file.

Shell
curl https://udrive.one/api/verify/a1B2c3D4e5F6
responseJSON
{
  "signed": true,
  "verified": true,
  "signerPubkey": "7xKEh…Pu8Z",
  "statement": "udrive file provenance\nname: dataset.csv\n"
}

The public file view at /f/<shortId> renders this as a provenance badge — signed by the wallet, with a verified checkmark.

What it does not prove

  • It proves the signer vouches for the bytes — not that the signer is the original author of the underlying content.
  • It is an off-chain attestation: no transaction is created and nothing is written to the Solana ledger.
  • Trust in the wallet's real-world identity is up to the verifier; udrive only proves the key signed.