I built the WordPress GPG signing workflow that didn't exist

Name: I built the WordPress GPG signing workflow that didn't exist
Availability: InStock
Author: mvpprojects

by mvpprojects·Feb 24, 2026·2 points·1 comment

Visit Project View on HN

AI Analysis

●●●BangerSolve My ProblemWizardryShip It

Solves the root problem: root-level files on managed hosting WordPress without FTP.

Strengths

•Addresses a genuine two-year-old unsolved WordPress pain point with append-only audit trails.
•Multiple hash algorithms (SHA-256, SHA-512, SHA3, BLAKE2b, BLAKE3) + HMAC mode for offline verification.
•Wire-protocol-style approach: zero code changes needed, works transparently through rewrite rules.

Weaknesses

•Fewer than 10 active installations suggests market discovery or messaging challenge.
•Cryptographic features seem powerful but use-cases for SHAKE128 and external anchoring unclear without docs.

Post Description

In February 2023, a developer named James Tomasino wrote about signing blog posts with GPG keys and ended with one line:

"If you're using WordPress, you'll need to find some other path forward."

That sat unanswered for two years. I built the path forward — and the foundation it runs on. Two GPL plugins.

ArchivioMD solves a problem every WordPress site on managed hosting hits eventually: you need files at the site root security.md, privacy.md, disclosure.md, robots.txt and you have no FTP access to put them there.

The plugin manages 30+ predefined Markdown documents from the WordPress admin, writes them to wherever the server will accept them (.well-known/meta-docs/ site root uploads fallback), and serves them via WordPress rewrite rules so they appear at the correct URL regardless of physical location.

Every document gets a UUID, a checksum, and an append-only changelog. No more one-off file placements nobody can audit or reproduce.

On top of that: cryptographic hash verification for posts (SHA-256 through BLAKE3, HMAC mode, hash_equals() throughout), external Git anchoring that pushes JSON integrity records to GitHub or GitLab via a persistent queue with exponential backoff, HTML rendering of Markdown files, compliance tooling, and sitemap management. ArchivioID is the OpenPGP signing extension.

Authors sign posts locally with their own GPG key — private key never touches the server. A badge appears on published posts. Any reader can verify with standard GPG tools, no WordPress required. Server-side verification handles Ed25519 via libsodium, RSA and ECDSA via phpseclib v3. Browser signing via OpenPGP.js for editors who aren't comfortable with a terminal. Full audit log with CSV export.

ArchivioMD (WordPress.org): https://wordpress.org/plugins/archiviomd

ArchivioMD (GitHub): https://github.com/MountainViewProvisions/archiviomd

ArchivioID (GitHub): https://github.com/MountainViewProvisions/ArchivioID/release... PHP 7.4+, WordPress 6.0+, phpseclib v3, OpenPGP-PHP, OpenPGP.js, libsodium, GPL-2.0.

Feedback on the cryptographic implementation especially welcome.