Every response from a GeraClone-hosted clone is cryptographically signed. This post explains what that means, why it matters, and how to verify a message. No crypto background required.
Why it matters: as AI-generated text and voice becomes good enough that an attacker can convincingly fake a message from "your expert's clone" or "your cousin's productivity clone," there has to be a way to tell real messages from fake. Signing solves this. Fake messages simply do not carry the right signature.
The basic idea, in one paragraph. Every clone gets two mathematically-linked keys at creation: a public key (anyone can see it) and a private key (only we can see it, encrypted in our key vault). When the clone produces a reply, we compute a tiny "signature" from the reply content plus the private key. Anyone who has the public key can check that the signature matches — proving the reply came from this specific clone. If someone else tries to forge a message, they cannot produce a valid signature without the private key, and their fake message will fail verification.
What this guarantees: provenance. A message that verifies came from that clone. That is the one property signatures give you.
What this does NOT guarantee: that the advice is good, that the facts are correct, that the content is appropriate, or that the creator personally approves the content. Signatures tell you where the message came from, not whether you should agree with it.
How to verify a message you received. Every reply includes the clone ID and the signature. Paste them into our free verification tool at /verify — it returns the clone name, the creator, and whether the signature is valid. If the signature is invalid, the message is not from the clone it claims to be.
The cryptography, briefly. We use Ed25519, a modern, fast, widely-trusted signing algorithm used by Signal, WhatsApp, SSH, and countless other systems. Signatures are 64 bytes. Verifying takes under a millisecond. Private keys are stored wrapped by KMS — an attacker who compromised our database would see only wrapped ciphertext, still needing to breach KMS to forge a signature.
Key rotation. Every clone's signing key can be rotated (for example, on a new device or after a suspected compromise). Old signatures remain verifiable against the old public key (which stays published); new messages use the new key.
What about voice and avatar clones? Voice output includes a steganographic watermark and a downloadable signature envelope — harder to verify than text, but the same principle. Avatar video includes a visible "verified GeraClone" badge and a verifiable signature in the metadata. We publish the verification tools.
Family-trust story. A grandparent who receives an emotional message "from her son's clone" asking for money can paste the signature into the verifier and see that the message is (or is not) genuinely from the clone she knows. The message still might be a bad idea — clones can be manipulated into saying things — but at least she knows it came from the right place.
Attack class the signatures do NOT prevent: a legitimate clone being manipulated by a subscriber into producing content the creator would not approve of. This is a content-safety problem, not a provenance problem, and we address it via refusal rules and the GeraWitness review layer for high-risk actions. Provenance and content-safety are different problems.
For creators. Your clone's public key is visible on the creator dashboard. You can share it as part of your public bio so subscribers can verify any message they receive. Third-party verification services can ingest public keys at scale.
For subscribers. If a clone-adjacent message asks you to do something serious (send money, share credentials, change a contract), verify the signature. If it does not verify, do not act on it.