Andrew G. Stanton - Thursday, May 7, 2026

For most of the last week I was pretty out of it physically.

Since around Thursday (4/30), I had been recovering from a rough stretch of stomach issues and low energy. I was not doing deep technical work. I was barely writing publicly at all.

Then sometime yesterday afternoon, what started as a relatively small Continuum feature unexpectedly turned into something much bigger.

The original goal was simple enough:

Add support for importing PGP identities into Continuum.

That was it.

The idea seemed straightforward:

• import a public or private PGP key
• store it locally in the Continuum workspace
• eventually support detached signatures for artifacts

Reasonable.

But once the PGP identities were working, another thought emerged naturally:

Why not support Bitcoin signing identities as well?

Not wallets. Not balances. Not transactions.

Just signing authority.

That distinction matters.

So I added support for importing Bitcoin signing identities derived from:

• WIF private keys
• xprv extended private keys
• descriptor-based derivation paths

Again, still relatively contained.

But then something clicked.

A Bitcoin private key is not only useful for transactions.

It can also be used as a general-purpose signing authority.

So I built detached Bitcoin artifact attestations.

At that point Continuum could:

• sign PDFs
• sign markdown files
• sign ZIP archives
• sign DOCX files
• generate detached proof bundles

The resulting ZIP export contained:

• artifact.pdf
• artifact.pdf.asc
• artifact.pdf.bitcoin-proof.json
• manifest.json
• signers.json
• pgp-public-key.asc

Already interesting.

But then came the real breakthrough.

I realized there was absolutely no reason the same model could not apply to Nostr identities.

And that is where things got unexpectedly fascinating.

Because in most of the Nostr ecosystem, people think of a Nostr private key in one very specific way:

It signs Nostr events.

That is true.

But it is not the whole story.

Underneath the protocol semantics, a Nostr private key is simply a secp256k1 Schnorr signing authority.

That means it can sign anything.

Not only relay events.

Not only kind-based objects.

Anything.

Once I realized that, the implementation happened very quickly.

Continuum now supports:

• PGP detached signatures
• Bitcoin secp256k1 artifact attestations
• Nostr Schnorr artifact attestations

And all three can be exported together inside a single portable verification bundle.

That means a PDF can now be accompanied by:

• artifact.pdf.asc
• artifact.pdf.bitcoin-proof.json
• artifact.pdf.nostr-proof.json

Each proof is completely public.

That is one of the most interesting parts.

The proof JSON files can be freely shared publicly:

• no private key information is exposed
• no signing authority is leaked
• no sensitive secrets are revealed

Yet the signatures remain verifiable.

That is a profound concept once you really stop and think about it.

The authority remains entirely local.

The proofs are public.

Verification can happen offline.

And the underlying artifact itself can even remain private.

That is radically different from how most modern systems work.

Most systems assume:

• platform identity
• centralized verification
• OAuth login flows
• hosted trust infrastructure
• server-side authority

But detached cryptographic attestations invert the model.

The authority lives with the signer.

The verifier does not need to trust a platform.

They only need:

• the artifact
• the proof bundle
• the public verification material

That is it.

The final proof bundle generated tonight included:

• a detached PGP signature
• a bundled PGP public key
• a Bitcoin proof JSON
• a Nostr proof JSON
• manifest.json
• signers.json

All fully public.

The signers.json file indexes all signers and references the proof files:

• Bitcoin address
• public keys
• npub
• PGP fingerprint
• signature schemes
• proof file locations

The manifest tracks:

• artifact SHA256
• included proof types
• bundle version
• timestamps

What is especially interesting is that none of this required:

• relay publishing
• cloud infrastructure
• external APIs
• centralized verification services

Everything happened locally.

That is the part I continue coming back to.

Continuum is slowly becoming something much broader than “a Nostr client.”

It is increasingly looking more like a local-first cryptographic workspace.

A place where:

• identities
• signing authority
• artifacts
• attestations
• archives
• verification

all coexist locally under user control.

The more I think about it, the more I believe the foundational insight is actually this:

Signing is not publishing.

Most systems collapse:

• authorship
• signing
• publishing
• distribution
• verification

into one step.

Continuum intentionally separates them.

And once those concepts are separated, very different possibilities emerge.

Detached artifact attestations were one of those possibilities.

Generalized Nostr signing was another.

Challenge-response authentication flows are likely another.

SSH signing identities will probably be next.

At some point you begin realizing:

PGP. Bitcoin. Nostr. SSH.

These are not really separate worlds.

They are all variations of the same deeper primitive:

challenge → sign → verify

That realization changes how you think about identity itself.