π€ AI Summary
This study addresses the lack of authenticity verification in Git commit authorship, where identity resolution relies solely on unverified claims. Leveraging the World of Code V2604 dataset, this work presents the first large-scale analysis of cryptographic signatures (PGP, SSH, and X.509) across 5.8 billion commits, introducing A2trustβa novel four-tier identity trust labeling framework that distinguishes declared identities from cryptographically bound ones. The contributions include the release of c2sigFull, a large-scale signed-commit dataset; the construction of an author-key graph that disambiguates organizational and personal keys; and the generation of a high-precision alias gold standard for 17.59% of signed commits. These resources establish cryptographic anchors for software identities, enabling trustworthy identity linkage and reproducible research in software provenance.
π Abstract
An author string in a git commit is free text the committer typed, so identity resolution over a global commit corpus rests on a claim that nothing in the commit verifies. A cryptographically signed commit is different: it binds the commit to a key the committer controls, and when that key ties back to a real-world identity the git identity becomes attested rather than merely claimed. We release the first commit-signature axis for the World of Code (WoC), extracted for the V2604 collection. The signature travels in the commit object's gpgsig header and is already carried, unparsed, in the commit-message field of the WoC commit tables, so the axis is a scan over existing tables rather than a re-read of the object database. Over the V2604 corpus of 5,866,595,698 commits, 17.59% carry a signature (PGP dominant at 98.96%, with a growing minority of SSH and X.509/sigstore signatures), or 1,031,721,316 signed commits. We release the per-commit signature map c2sigFull, a key-to-author graph gated so that shared organization and continuous-integration keys are separated from person keys, and A2trust, a per-identity attestation tier (unsigned, signed, real-world-bound, cross-corpus attested) that extends the published A2cls identity-class dataset. The signature axis is a precision anchor, not a coverage layer: signed commits skew toward recent and security-conscious developers, a population that overlaps the scholarly authors a bibliography join targets. We use the person keys to build a cryptographically grounded alias gold that calibrates the heuristic WoC alias map independently of hand-labeled pairs, and to attach an attestation provenance to science-to-software identity links. All artifacts are released as a self-contained, in dependently hosted replication package keyed to the WoC V2604 collection.