A Minimal Cryptographic Affidavit Process for Digital Artifacts

Purpose

This process creates a signed affidavit that cryptographically binds a SHA-256 hash of a digital artifact to a verifiable GPG identity, enabling independent verification of integrity and authorship without asserting factual truth.

This is useful for publishing essays, research notes, creative work, datasets, or any digital artifact where you want to demonstrate:

  • The file has not changed since a specific moment in time
  • A specific cryptographic identity controlled the signing key
  • Verification can occur independently, without contacting the signer

Threat Model (What This Does and Does Not Do)

This process proves:

  • File integrity (tamper detection)
  • Control of a specific GPG private key at signing time
  • A clear, auditable chain of verification

This process does NOT prove:

  • The truthfulness of the content
  • The authenticity of events depicted
  • That manipulation did not occur before hashing

This is an integrity and authorship signal, not a claim of objective truth.

Signing Process (Author / Publisher)

0) Preconditions

  • The content file is finalized
  • You already have a GPG key
  • You will not edit files once hashing begins

1) Capture Artifact Details (for the affidavit)

stat -f "%N
Size (bytes): %z
Permissions: %Sp
Owner: %Su
Group: %Sg
Created: %SB
Modified: %Sm
Inode: %i
Device: %d
" "<file_name>" > file_details.txt

This records filesystem-level metadata at the moment of signing.
The output will be embedded into the affidavit, then discarded.

2) Create affidavit.txt

vi affidavit.txt

Affidavit Template

------------------------------------------------------------
AFFIDAVIT OF DIGITAL CONTENT INTEGRITY (SHA-256 + GPG SIGNATURE)
------------------------------------------------------------

I, <Full Legal Name>, declare under penalty of perjury that:

1) I am the creator or lawful custodian of the digital file(s) referenced below.
2) On <YYYY-MM-DD> at approximately <HH:MM> (<Time Zone>), I computed SHA-256 hashes
   for the file(s) listed in this affidavit.
3) To the best of my knowledge, the file(s) referenced have not been altered since
   the hashes were computed. Any modification would result in a different SHA-256
   hash and cause verification to fail.
4) I am signing this statement using my GPG private key. The corresponding public
   key fingerprint is:

   <YOUR FULL KEY FINGERPRINT>

Referenced Files:
- <file_name>
- affidavit.txt
- hashes.sha256.txt (hash manifest)

Executed on: <YYYY-MM-DD>
Location: <City, State, Country>

Signature:
<Full Legal Name>
<Contact info optional>

------------------------------------------------------------
File Details (observed at time of signing)
------------------------------------------------------------

<PASTE file_details OUTPUT HERE>

------------------------------------------------------------

After pasting the file details, delete file_details.txt.

3) Create the Hash Manifest

Include both the artifact and the affidavit:

shasum -a 256 <file_name> affidavit.txt > hashes.sha256.txt

4) Sign the Affidavit (Detached Signature)

gpg --armor --detach-sign affidavit.txt

Produces:

affidavit.txt.asc

5) Sign the Hash Manifest (Detached Signature)

gpg --armor --detach-sign hashes.sha256.txt

Produces:

hashes.sha256.txt.asc

6) Export the Public Key

gpg --armor --export "user@email.com" > user-publickey.asc

Final Evidence Bundle

Distribute these files together:

  • <artifact_filename>
  • affidavit.txt
  • affidavit.txt.asc
  • hashes.sha256.txt
  • hashes.sha256.txt.asc
  • <signer>-publickey.asc

Verification requires only GPG and SHA-256 tools.

Verification Process (Independent Verifier)

0) Preconditions

  • You have received the full evidence bundle
  • The bundle contains:
  • <artifact_filename>
  • affidavit.txt
  • affidavit.txt.asc
  • hashes.sha256.txt
  • hashes.sha256.txt.asc
  • <signer>-publickey.asc
  • GPG and shasum are installed
  • You trust the public key source or can verify its fingerprint independently

1) Import the Signer’s Public Key

gpg --import <signer>-publickey.asc

(Optional but recommended)

gpg --fingerprint <signer-email-or-key-id>

Confirm the fingerprint matches an independently published reference.

2) Verify the Affidavit Signature

gpg --verify affidavit.txt.asc affidavit.txt

Expected output:

gpg: Good signature from "<Signer Name> <email>"

3) Verify the Hash Manifest Signature

gpg --verify hashes.sha256.txt.asc hashes.sha256.txt

Expected output:

gpg: Good signature from "<Signer Name> <email>"

4) Verify File Integrity

shasum -a 256 -c hashes.sha256.txt

Expected output:

<artifact_filename>: OK
affidavit.txt: OK

5) Manual Review

Open affidavit.txt and confirm:

  • Signer identity
  • Public key fingerprint
  • Listed files match the bundle
  • File details match the received artifact
  • Date, time, and location align with expectations

6) Interpretation Guidance

A successful verification confirms:

  • The files have not changed since hashing
  • The affidavit has not changed since signing
  • The signer controlled the private key used

It does not confirm:

  • Truthfulness of the content
  • Authenticity of depicted events
  • Absence of manipulation prior to hashing

Closing Note

This process is intentionally modest in scope.

It does not attempt to establish truth, only integrity, authorship, and verifiability.

In an environment increasingly shaped by synthetic media, these signals matter.
They are not sufficient on their own, but they are necessary.

The Elenchus Retrospective

Using the Socratic Method to Drive Better Sprint Outcomes

Sprint Retrospectives are vital for continuous improvement, but sometimes the conclusions drawn can feel abstract or lack a solid foundation. By integrating the formal steps of the Socratic Method (Elenchus) into your retrospectives, you can drive a deeper understanding of your team’s experiences and produce more grounded, effective concluding actions.

The goal is twofold: a better understanding of the team’s experience and the generation of concrete, reality-based improvement actions.Gathering Experiences: The Formalized Socratic Method

The Elenchus method, or the Socratic Method of questioning and refutation, provides a formalized five-step process for dissecting an experience until its root definition is clear:

  1. Receive: Ask the team members to share their experience from the previous Sprint. The key here is to listen without judgment and capture what happened in the team’s own words.
  2. Reflect: Paraphrase the experience back to the team. This step is crucial for mutual understanding. By echoing back the main ideas, you ensure that you, as the facilitator, have accurately grasped the core issue and that the team agrees on the narrative.
  3. Refine: Once the core experience is established, ask for underlying assumptions and supporting evidence. This is where you move beyond surface-level observations to examine the foundational beliefs and data points surrounding the experience.
  4. Restate: Paraphrase the experience again, but now incorporate the newly added details about the assumptions and evidence. This iteration adds depth and precision to the definition of the issue.
  5. Repeat: Continue this cycle of receiving, reflecting, refining, and restating until the experience is clearly defined, understood by all, and no further assumptions or evidence can be uncovered.

Reality Check: Ensuring Empirical Results

While powerful, the Socratic Method has been criticized for potentially producing false conclusions¹ if the underlying premises are flawed or not verified. In a retrospective, we cannot afford to base our future actions on abstract or unverified “truths.”

To address this, an essential step must be added to anchor the process in reality: Check the experience definition against empirical evidence.

Before moving to concluding actions, take the time to verify the clearly defined experience against your Sprint data-metrics, logs, burndown charts, or any other hard evidence. This ensures that the understanding you’ve developed is not only clear but also based in the reality of your team’s performance.

Concluding Actions: The Outcome

The entire exercise is focused on developing one of two, or both, critical outcomes for your next Sprint:

  1. An Actionable improvement plan for the next Sprint.
  2. An improvement of the Definition of Done (DoD).

By clearly defining the root cause of an experience and validating it against empirical evidence, your concluding action will be well-defined, measurable, and firmly based in reality. This significantly increases the likelihood that your next Sprint will incorporate a meaningful and effective change.

Caveat 

It is critical that the facilitator ensures a high degree of psychological safety when employing the Elenchus method. The nature of sustained questioning and refutation must be carefully managed to prevent the process from feeling like a personal confrontation, keeping the focus strictly on the team’s shared experience and underlying assumptions.²

¹ Winter, Theo. “Smarter Thinking: The Socratic Method.” Human Performance Technology By DTS, 26 June 2017, blog.hptbydts.com/smarter-thinking-the-socratic-method. Accessed 17 Jan. 2026.

²Ash, Simon. “The Socratic Method in Coaching: Ancient Wisdom for Modern Leadership.” The Right Questions, therightquestions.co/the-socratic-method-in-coaching-ancient-wisdom-for-modern-leadership/. Accessed 17 Jan. 2026.

Why I’m Pausing My PMP Until the PMBOK 8 Baseline Lands

I’m looking at PM certs right now, trying to be honest about what’s worth the time and what’s just noise for the kind of roles I want next.

Here’s a decision I’ve made, and why:

I’m waiting to take the PMP until the PMBOK 8 direction is clearly in the exam.

I’m looking at PM certs right now, trying to be honest about what’s worth the time and what’s just noise for the kind of roles I want next.

Here’s a decision I’ve made, and why:

I’m waiting to take the PMP until the PMBOK 8 direction is clearly in the exam.

The core reason: I don’t want to study for a test that’s changing under me

The PMP exam is based on PMI’s Exam Content Outline (ECO). The ECO is what the test is actually built from. The PMBOK guides are reference material, but the exam isn’t tied to one specific edition.

When PMI publishes a new PMBOK, the exam doesn’t flip overnight. There’s a transition window, and PMI updates the ECO on its own timeline. They’ve already published a new ECO for July 2026, which points the exam toward PMBOK 8, but also makes it clear that the real cutoff is the ECO update date, not the book release.

So this isn’t about being precious over editions.
It’s about not putting months of effort into one baseline and then walking into another.

Quick clarity on PMBOK 7 vs PMBOK 8

PMBOK 7 was where PMI moved hard toward principles and broader “how to think” guidance instead of a strict process checklist. It’s the edition that pushed flexibility and value delivery the most.

PMBOK 8 keeps that principles-first base, but adds back more process guidance. Not in a rigid “follow these steps” way, more like “here are the common practices and how to tailor them.” It also bakes in more about hybrid delivery, modern tools, and AI.

That combo is closer to how I already work: lead with principles, then pull in process where it earns its keep.

Why PMBOK 8 fits how I work

Three things shape how I run programs:

1. Principles before paperwork.
I care more about whether the work is real and moving than whether it checks every box.

2. Hybrid is normal.
Most programs aren’t pure Scrum or pure Waterfall. They’re built around reality: the team, the product, the constraints.

3. Tailoring is the job.
I don’t want a cert that rewards memorizing a method. I want one that rewards choosing and adapting methods on purpose.

PMBOK 8 seems to be pushing in that direction. That’s why I’m comfortable waiting for the exam to catch up to it.

What I’m focusing on now

Waiting on PMP doesn’t mean waiting on growth. Right now I’m putting my time into things that matter no matter what edition PMI is on:

  • Cloud, AI, and Agile fluency
  • Keeping risk and dependencies visible in real work
  • Sharpening delivery habits I can carry into any org

When the PMBOK 8 baseline is clearly settled into the exam, I’ll take PMP then, with a cleaner runway and less wasted prep.

Unpopular opinion: Agile isn’t “soft” project management, it’s ruthless about reality.

I know Agile methodologies can be frustrating for some folks, but you really can’t beat the short iterations and empirical evidence for proving delivery of value. Is it somewhat risky because you’re not calling out every key program milestone like you do in Waterfall? Yes. Is it possible to have horrible scope creep? Yes. Can you be sure you’re not wasting 18 months after 2? Absolutely. Agile only pays off if you can actually see what’s helping or hurting delivery.

That only works, though, if you’re honest about what’s really happening inside the work. For me, that honesty lives in a simple tool: a living RAID log.

As a PM/PO working with Agile, I think you should keep a constantly updated RAID log in Confluence or whatever system your team actually uses. Not a dusty artifact you fill out for a steering deck and never look at again, but a working object you interrogate every sprint. In Scrum, it’s even better to walk it right before (or during) the Sprint Retrospective, when the team is already in an inspect-and-adapt mindset.

RAID is basic on paper:
Risks / Assumptions / Issues / Dependencies.

But when it’s alive, it becomes the connective tissue between strategy, teams, and reality. It’s where you see the early warning lights, name your bets, expose the uncomfortable truths, and make decisions you can defend later.

Most teams say they’re “managing risk.” A living RAID log is where you prove it.

Confluence Ready RAID Template

1. Set up the RAID log

Create a simple table with columns like:
Type | Item | Description | Owner | Due / Review Date | Status

2. Ask RAID questions as a team

R – Risks (might happen)

  • What could stop us from hitting the next Sprint Goal?
  • Where do we feel “uneasy” but haven’t written it down yet?
  • What’s fragile if one person leaves, gets sick, or is pulled to another project?

A – Assumptions (we’re treating as true)

  • What are we assuming about scope, dates, or capacity that isn’t guaranteed?
  • What are we assuming other teams will deliver, and when?
  • If this assumption is wrong, what breaks first?

I – Issues (already happening)

  • What is slowing us down right now?
  • Where are we reworking the same thing twice?
  • What’s blocking progress that nobody “owns” yet?

D – Dependencies (outside our direct control)

  • Who are we waiting on, and for what?
  • Who is waiting on us, and do they know when we’ll deliver?
  • Which dependencies are tied to calendar events (releases, vendor dates, audits)?

3. Review every sprint

Before or during Retro, quickly scan the log:

  • What changed status?
  • What needs escalation?
  • What new items do we need to add?

From Theory to Practice: Your Next Step

If you’re a PM or PO, try this: in your next sprint, spend 10 minutes with your team building a living RAID log and commit to reviewing it every Retro for a month. See what changes when risk, assumptions, issues, and dependencies are actually visible.

If you’re a hiring manager or delivery leader who cares about this kind of ruthless honesty in Agile, I’d love to connect. I’m always up for swapping stories about what really works in complex delivery and how we can build healthier, more transparent teams.

PSPO 1 Made Official

I recently passed the Professional Scrum Product Owner I (PSPO I) certification from Scrum.org.

Here are the materials I used to prepare:

You can verify my certification here:

I’m sharing these links because they helped me deepen my understanding of the Product Owner role and prepare efficiently for the assessment.

Try Scrum, Get Empirical Evidence

A short, one-time Scrum pilot for small remote teams who want empirical evidence before committing to Agile. Real ceremonies, real data, honest results.

A one-time pilot for small remote teams, open through March 2026.

Many small teams want to explore Scrum but don’t have a project manager,
don’t want to stand up a full process they’re unsure of,
and don’t know if it would actually work for them.

That’s what this pilot is for.

This winter, I’m opening a short, one-time Scrum pilot for small remote teams who want to get empirical evidence before committing to Agile.

I’ll facilitate the real ceremonies, track real data, and help your team interpret the results.

If Scrum improves your delivery rhythm, we’ll know why.
If it doesn’t, we’ll still have learned something valuable: truth about your own system.

Either way, it’s progress grounded in evidence, not buzzwords.

This is a one-time, reduced-rate offer running only through March 2026.
Once I take on my next full-time role, I won’t be offering this kind of hands-on facilitation again.

It’s a limited chance for a small team to get experienced Scrum guidance at a fraction of the usual commitment.

If you’re leading a small business or startup and want to explore Scrum in a focused, low-risk way,
reach out through email at sydearly@icloud.com with the subject Scrum Pilot or connect with me on LinkedIn.

Let’s build an experiment worth running.

PSM1 On Board

I recently passed the Professional Scrum Master I (PSM I) certification from Scrum.org.

Here are the materials I used to prepare:

You can verify my certification here:

I’m sharing these links because they helped me understand the framework clearly and prepare efficiently.

Powered by
Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
None
Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
None
Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
None
Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
None
Powered by