A Tamper-Evident Ledger for Software Provenance
Dr. Elena Marsh
Chief Scientist
What we mean by provenance
Provenance is the answer to a simple question asked under pressure:
Where did this exact binary come from, and can you prove it?
For high-stakes systems, "trust us" is not an answer. The history of an artifact must be reconstructable and tamper-evident.
Hash-linked history
Every event in a Narsil pipeline — a dependency resolved, a control evaluated, an approval granted — is recorded as a record whose hash includes the hash of the record before it.
record[n].hash = H( record[n].body || record[n-1].hash )
Change any earlier record and every subsequent hash breaks. The tampering is not hidden; it is loud.
External anchoring
Periodically, the ledger head is anchored to an independent authority. This means even an adversary with full control of the enclave cannot silently rewrite history without contradicting an anchor recorded elsewhere.
- Anchors are small: just the current head hash.
- They are frequent enough to bound any undetected window.
- They require no connectivity from inside the gap — only at anchor time.
Why this is the heart of assurance
Compliance checks tell you a control passed. Provenance tells you the story of how the artifact came to be — and proves that story has not been edited. One without the other is incomplete.
Integrity is not asserted. It is demonstrated.