A technical deep-dive into cryptographic provenance — from shutter to verification.
When a VeriChain-compatible camera app captures a photo, it immediately computes a SHA-256 hash of the raw image bytes. This hash is the image's unique fingerprint — any change to even a single pixel will produce a completely different hash.
The app then creates a genesis manifest containing the content hash, capture metadata (device, software, timestamp), and the signer's key ID. The manifest itself is also hashed, and that hash is signed with the signer's Ed25519 private key.
The private key never leaves the device. It is stored in the iOS Keychain with hardware-backed protection where available.
When the user edits the photo — adjusting brightness, cropping, rotating — each operation is appended as a signed edit event to the manifest. The event records the type of edit, its parameters, and a timestamp.
Critically, the new manifest references the hash of the previous manifest as its parent_manifest_hash. This creates a hash chain: each revision is mathematically linked to every prior revision. Removing, reordering, or modifying any event in the chain breaks the chain and will be detected during verification.
The manifest is append-only by design. There is no "undo" in the provenance record — once an edit is signed and appended, it is part of the permanent history.
The photo and its manifest are packaged together into a single .verichain bundle — a compact binary format containing the image file and its .epx.json sidecar manifest.
The bundle can be shared via AirDrop, email, messaging apps, or any file transfer mechanism. The manifest is not embedded in the image itself, so the image bytes are never modified — the content hash computed at capture time remains valid forever.
When a recipient receives a .verichain bundle, their VeriChain-compatible app runs five independent checks:
If all five checks pass, the image is considered verified and intact.
A cryptographically valid signature proves that an image was signed by a specific private key — but it doesn't tell you whose key that is. The VeriChain Directory bridges that gap.
Users are registered in the directory exclusively through VeriChain ecosystem apps. Registration is not open to third parties — this is fundamental to the security model.
When a photo is verified, the app automatically fetches the signer's public key and profile from the directory. A journalist receiving a photo from a stranger can see: "This image was signed by Nellie Bly, Journalist, iPhone 17 Pro, registered 2026-04-09 — and the signature is valid."
If the signer is not in the directory, the verification result is downgraded with an amber warning: file integrity checks may pass, but the signer's identity cannot be confirmed through the trusted VeriChain pipeline.
VeriChain is a provenance system, not a lie detector. It can prove that an image has not been altered since it was signed — but it cannot prove that the original capture was truthful, that the scene depicted was real, or that the signer is who they claim to be outside of the directory registration.
VeriChain also does not currently support perceptual hashing, AI-generation detection, multi-signer workflows, or revocation infrastructure. These are planned for future versions of the EPX/1 specification.