How can I verify a TrackForge certification without trusting TrackForge?

Every certification includes cryptographic proofs. You recompute the SHA-256 fingerprint from the raw metadata — if it matches, the data is identical to what was certified. A Merkle tree proves a specific track was in the certified batch. A Bitcoin blockchain timestamp proves when certification happened. All steps are self-contained and work without contacting TrackForge.

What is a Merkle tree and why does it matter for music certification?

A Merkle tree combines thousands of track fingerprints into a single root hash. Any individual track can prove it was included in the certified catalogue without revealing other tracks' data. For 10,000 tracks, an inclusion proof requires only about 14 hashes — compact, fast, and privacy-preserving.

Version: v2.0

Independent Verification — Why You Don't Have to Trust Us

Q: What does cryptographic verification NOT prove?

It proves the data has not changed since certification and that certification happened when claimed. It does not prove that the underlying data was correct in the first place. If a writer's IPI number was wrong when certified, the fingerprint faithfully records the wrong number. The rating methodology ensures rigour; the cryptographic layer ensures tamper-proofness.

The trust problem

If the only way to believe a rating is to take the rater's word for it, you have not solved the information asymmetry problem. You have merely moved trust from the seller to a new intermediary.

A buyer's lawyer should be able to ask two questions and get answers that do not depend on TrackForge being honest:

"How do I know the data hasn't been changed since certification?"
"How do I know this track was actually part of the certified batch?"

TrackForge answers both with mathematical proof.

The simple version

Think of it like notarising a document — but one that nobody can forge, alter, or backdate, and that you can verify yourself without the notary's involvement.

When TrackForge certifies a catalogue, three things happen:

1. Every track gets a unique digital fingerprint

The metadata is run through a mathematical function that produces a fixed string of characters. The same data always produces the same fingerprint. Change a single digit — one character of a writer's ID, one percentage point of an ownership share — and the fingerprint changes completely. Anyone with the same metadata can compute the fingerprint and check it matches.

2. All fingerprints are combined into a single catalogue fingerprint

Thousands of track fingerprints are combined in pairs, those pairs are combined again, and so on, until a single "root" fingerprint remains — 64 characters that represent every track in the catalogue. The clever part: any individual track can prove it was included without revealing any other track's data.

3. The catalogue fingerprint is permanently timestamped

The root fingerprint is recorded on a public blockchain — a distributed ledger maintained by a global network that no single party controls. This creates an immutable record that this exact fingerprint existed at this exact point in time. It cannot be altered, backdated, or deleted.

4. The rating methodology is independently timestamped

The rules that govern the rating — every threshold, criterion, and disclosure — are also fingerprinted and permanently timestamped on the blockchain, separately from any individual certification. This means the methodology itself cannot be changed retroactively. A verifier can confirm that the rating rules predated the certification they governed, closing the loop on the question: "Could the rules have been adjusted after the fact to produce a more favourable result?" The answer is mathematically provable: no.

The result: any third party can independently confirm that the data hasn't changed, that a specific track was part of the certified batch, that the certification happened when it claims, and that the rating rules were locked in before the assessment — all without contacting TrackForge.

Why this matters commercially

This is not technology for technology's sake. Each step solves a specific commercial problem:

Fingerprinting solves the "was this data altered?" problem. In a traditional advisory engagement, a buyer must trust that the data in the report is what was actually reviewed. With TrackForge, the buyer recomputes the fingerprint from the raw data. If it matches, the data is identical to what was certified. If it doesn't, something has changed. No trust required.

The combined fingerprint solves the "was this track really part of the deal?" problem. A buyer can verify that a specific track was included in the certified catalogue without seeing the entire catalogue's data. This is important for partial acquisitions, sub-licensing, and portfolio carve-outs — common structures in music rights transactions.

The blockchain timestamp solves the "when was this actually done?" problem. A PDF report can be backdated. A blockchain record cannot. This provides independently verifiable proof of when the assessment happened — critical for re-certification, recourse claims, and regulatory compliance.

The technical detail (for those who want it)

The fingerprinting uses SHA-256, a cryptographic hash function that is an industry standard used in banking, government systems, and digital signatures worldwide. The serialisation rules are published so any engineer can reproduce the process.

The combined fingerprint uses a Merkle tree — a data structure that allows individual items to prove their inclusion in a set without revealing the other items. For a catalogue of 10,000 tracks, an inclusion proof requires only about 14 hashes. Compact, fast, and privacy-preserving.

The timestamp uses OpenTimestamps on the Bitcoin blockchain — chosen because it is the most widely distributed and longest-running public blockchain, providing the highest assurance of permanence. See Blockchain Anchoring for implementation details.

Comparison at a glance

	Consultant report	TrackForge certification
Can the buyer verify data hasn't changed?	No — must trust the consultant	Yes — recompute the fingerprint
Can a third party reproduce the analysis?	No — methodology is proprietary	Yes — methodology is published
Is there proof of when the assessment happened?	Dated report (can be backdated)	Blockchain timestamp (immutable)
Can individual tracks be verified privately?	No	Yes — inclusion proofs
Does verification need the assessor?	Yes	No — all proofs are self-contained
What if the assessor goes out of business?	Report becomes unverifiable	Proofs remain valid indefinitely
Can the methodology be changed retroactively?	No way to verify	No — methodology is OTS-timestamped on Bitcoin

What this does not do

Cryptographic verification proves that the data has not changed since certification and that the certification happened when it claims. It does not prove that the underlying data was correct in the first place. If a writer's IPI number was wrong when certified, the fingerprint faithfully records the wrong number.

This is why the rating methodology — the process by which TrackForge enriches, validates, and scores metadata — is equally important. The cryptographic layer ensures the assessment is tamper-proof and verifiable. The methodology ensures it is rigorous.

Together, they provide something that has never existed in the music rights market: a standardised, verifiable, and comparable assessment of catalogue quality.

Return to: Why TrackForge Exists

Notes

The trust problem​

The simple version​

1. Every track gets a unique digital fingerprint​

2. All fingerprints are combined into a single catalogue fingerprint​

3. The catalogue fingerprint is permanently timestamped​

4. The rating methodology is independently timestamped​

Why this matters commercially​

The technical detail (for those who want it)​

Comparison at a glance​

What this does not do​