Show HN: Co-Authored-By Is a Lie: Cryptographic Provenance for AI Coding Agents (blog.rduffy.uk)

A new innovation in AI code management, dubbed "Co-Authored-By Is a Lie," addresses the growing need for cryptographic provenance in AI-generated code. Developed by a researcher at Manifold Security, this system tackles the significant vulnerability related to commit metadata in Git, which can easily be faked, thus misleading reviewers into trusting potentially malicious code. By demonstrating how a simple forgery of attribution metadata can lead to serious security breaches, the initiative highlights the necessity of distinguishing between genuine AI contributions and artificial claims of authorship, particularly as AI integrates more into software development pipelines. The solution involves a three-layered approach to authentication: starting with human-readable, structured attribution data; transitioning to cryptographic signatures for each AI-generated commit; and finally securing private keys within a hardware enclave to prevent unauthorized access. This not only establishes a reliable chain of trust but also allows for the traceability of AI-generated contributions to specific sessions and agents. The implications are profound, as the system enforces robust verification processes that can significantly enhance the integrity of software supply chains and promote confidence in AI-assisted coding environments.