Merge remote-tracking branch 'upstream/master' into reference

27482d81 · tavit ohanian · 4bc41ebc · 5976a802 · 27482d81 · 27482d81
Commit 27482d81 authored May 05, 2021 by tavit ohanian
23 changed files
--- a/.github/ISSUE_TEMPLATE/config.yml
+++ b/.github/ISSUE_TEMPLATE/config.yml
+blank_issues_enabled: false
+contact_links:
+ - name: Getting Help on IPFS
+   url: https://ipfs.io/help
+   about: All information about how and where to get help on IPFS.
+ - name: IPFS Official Forum
+   url: https://discuss.ipfs.io
+   about: Please post general questions, support requests, and discussions here.
--- a/.github/ISSUE_TEMPLATE/open_an_issue.md
+++ b/.github/ISSUE_TEMPLATE/open_an_issue.md
+---
+name: Open an issue
+about: Only for actionable issues relevant to this repository.
+title: ''
+labels: need/triage
+assignees: ''
+---
+<!--
+Hello! To ensure this issue is correctly addressed as soon as possible by the IPFS team, please try to make sure:
+- This issue is relevant to this repository's topic or codebase.
+- A clear description is provided. It should includes as much relevant information as possible and clear scope for the issue to be actionable.
+FOR GENERAL DISCUSSION, HELP OR QUESTIONS, please see the options at https://ipfs.io/help or head directly to https://discuss.ipfs.io.
+(you can delete this section after reading)
+-->
--- a/.github/config.yml
+++ b/.github/config.yml
+# Configuration for welcome - https://github.com/behaviorbot/welcome
+# Configuration for new-issue-welcome - https://github.com/behaviorbot/new-issue-welcome
+# Comment to be posted to on first time issues
+newIssueWelcomeComment: >
+  Thank you for submitting your first issue to this repository! A maintainer
+  will be here shortly to triage and review.
+  In the meantime, please double-check that you have provided all the
+  necessary information to make this process easy! Any information that can
+  help save additional round trips is useful! We currently aim to give
+  initial feedback within **two business days**. If this does not happen, feel
+  free to leave a comment.
+  Please keep an eye on how this issue will be labeled, as labels give an
+  overview of priorities, assignments and additional actions requested by the
+  maintainers:
+    - "Priority" labels will show how urgent this is for the team.
+    - "Status" labels will show if this is ready to be worked on, blocked, or in progress.
+    - "Need" labels will indicate if additional input or analysis is required.
+  Finally, remember to use https://discuss.ipfs.io if you just need general
+  support.
+# Configuration for new-pr-welcome - https://github.com/behaviorbot/new-pr-welcome
+# Comment to be posted to on PRs from first time contributors in your repository
+newPRWelcomeComment: >
+  Thank you for submitting this PR!
+  A maintainer will be here shortly to review it.
+  We are super grateful, but we are also overloaded! Help us by making sure
+  that:
+    * The context for this PR is clear, with relevant discussion, decisions
+      and stakeholders linked/mentioned.
+    * Your contribution itself is clear (code comments, self-review for the
+      rest) and in its best form. Follow the [code contribution
+      guidelines](https://github.com/ipfs/community/blob/master/CONTRIBUTING.md#code-contribution-guidelines)
+      if they apply.
+  Getting other community members to do a review would be great help too on
+  complex PRs (you can ask in the chats/forums). If you are unsure about
+  something, just leave us a comment.
+  Next steps:
+    * A maintainer will triage and assign priority to this PR, commenting on
+      any missing things and potentially assigning a reviewer for high
+      priority items.
+    * The PR gets reviews, discussed and approvals as needed.
+    * The PR is merged by maintainers when it has been approved and comments addressed.
+  We currently aim to provide initial feedback/triaging within **two business
+  days**. Please keep an eye on any labelling actions, as these will indicate
+  priorities and status of your contribution.
+  We are very grateful for your contribution!
+# Configuration for first-pr-merge - https://github.com/behaviorbot/first-pr-merge
+# Comment to be posted to on pull requests merged by a first time user
+# Currently disabled
+#firstPRMergeComment: ""
--- a/.gx/lastpubver
+++ b/.gx/lastpubver
+0.1.23: QmUwMnKKjH3JwGKNVZ3TcP37W93xzqNA4ECFFiMo6sXkkc
--- a/.travis.yml
+++ b/.travis.yml
+os:
+  - linux
+language: go
+go:
+  - 1.13.x
+env:
+  global:
+    - GOTFLAGS="-race"
+  matrix:
+    - BUILD_DEPTYPE=gomod
+# disable travis install
+install:
+  - true
+script:
+  - bash <(curl -s https://raw.githubusercontent.com/ipfs/ci-helpers/master/travis-ci/run-standard-tests.sh)
+cache:
+  directories:
+    - $GOPATH/pkg/mod
+    - $HOME/.cache/go-build
+notifications:
+  email: false
--- a/LICENSE
+++ b/LICENSE
+The MIT License (MIT)
+Copyright (c) 2018 Protocol Labs, Inc.
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.
\ No newline at end of file
--- a/Makefile
+++ b/Makefile
+export IPFS_API ?= v04x.ipfs.io
+gx:
+	go get -u github.com/whyrusleeping/gx
+	go get -u github.com/whyrusleeping/gx-go
+deps: gx
+	gx --verbose install --global
+	gx-go rewrite
--- a/README.md
+++ b/README.md
-# go-dms3ns
+# go-ipns
+[![](https://img.shields.io/badge/made%20by-Protocol%20Labs-blue.svg?style=flat-square)](http://protocol.ai)
+[![](https://img.shields.io/badge/project-IPFS-blue.svg?style=flat-square)](http://ipfs.io/)
+[![](https://img.shields.io/badge/freenode-%23ipfs-blue.svg?style=flat-square)](http://webchat.freenode.net/?channels=%23ipfs)
+[![standard-readme compliant](https://img.shields.io/badge/standard--readme-OK-green.svg?style=flat-square)](https://github.com/RichardLitt/standard-readme)
+[![GoDoc](https://godoc.org/github.com/ipfs/go-datastore?status.svg)](https://godoc.org/github.com/ipfs/go-ipns)
+> ipns record definitions
+This package contains all of the components necessary to create, understand, and validate IPNS records. It does *not* publish or resolve those records. [`go-ipfs`](https://github.com/ipfs/go-ipfs) uses this package internally to manipulate records.
+## Lead Maintainer
+[Adin Schmahmann](https://github.com/aschmahmann)
+## Usage
+To create a new IPNS record:
+```go
+import (
+	"time"
+	ipns "github.com/ipfs/go-ipns"
+	crypto "github.com/libp2p/go-libp2p-crypto"
+)
+// Generate a private key to sign the IPNS record with. Most of the time,
+// however, you'll want to retrieve an already-existing key from IPFS using the
+// go-ipfs/core/coreapi CoreAPI.KeyAPI() interface.
+privateKey, publicKey, err := crypto.GenerateKeyPair(crypto.RSA, 2048)
+if err != nil {
+  panic(err)
+}
+// Create an IPNS record that expires in one hour and points to the IPFS address
+// /ipfs/Qme1knMqwt1hKZbc1BmQFmnm9f36nyQGwXxPGVpVJ9rMK5
+ipnsRecord, err := ipns.Create(privateKey, []byte("/ipfs/Qme1knMqwt1hKZbc1BmQFmnm9f36nyQGwXxPGVpVJ9rMK5"), 0, time.Now().Add(1*time.Hour))
+if err != nil {
+	panic(err)
+}
+```
+Once you have the record, you’ll need to use IPFS to *publish* it.
+There are several other major operations you can do with `go-ipns`. Check out the [API docs](https://godoc.org/github.com/ipfs/go-ipns) or look at the tests in this repo for examples.
+## Documentation
+https://godoc.org/github.com/ipfs/go-ipns
+## Contribute
+Feel free to join in. All welcome. Open an [issue](https://github.com/ipfs/go-ipns/issues)!
+This repository falls under the IPFS [Code of Conduct](https://github.com/ipfs/community/blob/master/code-of-conduct.md).
+### Want to hack on IPFS?
+[![](https://cdn.rawgit.com/jbenet/contribute-ipfs-gif/master/img/contribute.gif)](https://github.com/ipfs/community/blob/master/CONTRIBUTING.md)
+## License
+Copyright (c) Protocol Labs, Inc. under the **MIT license**. See [LICENSE file](./LICENSE) for details.
--- a/codecov.yml
+++ b/codecov.yml
+coverage:
+  range: "50...100"
+comment: off
--- a/errors.go
+++ b/errors.go
+package ipns
+import (
+	"errors"
+)
+// ErrExpiredRecord should be returned when an ipns record is
+// invalid due to being too old
+var ErrExpiredRecord = errors.New("expired record")
+// ErrUnrecognizedValidity is returned when an IpnsRecord has an
+// unknown validity type.
+var ErrUnrecognizedValidity = errors.New("unrecognized validity type")
+// ErrInvalidPath should be returned when an ipns record path
+// is not in a valid format
+var ErrInvalidPath = errors.New("record path invalid")
+// ErrSignature should be returned when an ipns record fails
+// signature verification
+var ErrSignature = errors.New("record signature verification failed")
+// ErrKeyFormat should be returned when an ipns record key is
+// incorrectly formatted (not a peer ID)
+var ErrKeyFormat = errors.New("record key could not be parsed into peer ID")
+// ErrPublicKeyNotFound should be returned when the public key
+// corresponding to the ipns record path cannot be retrieved
+// from the peer store
+var ErrPublicKeyNotFound = errors.New("public key not found in peer store")
+// ErrPublicKeyMismatch should be returned when the public key embedded in the
+// record doesn't match the expected public key.
+var ErrPublicKeyMismatch = errors.New("public key in record did not match expected pubkey")
+// ErrBadRecord should be returned when an ipns record cannot be unmarshalled
+var ErrBadRecord = errors.New("record could not be unmarshalled")
--- a/examples/embed.go
+++ b/examples/embed.go
+package examples
+import (
+	"time"
+	pb "github.com/ipfs/go-ipns/pb"
+	ipns "github.com/ipfs/go-ipns"
+	crypto "github.com/libp2p/go-libp2p-core/crypto"
+)
+// CreateEntryWithEmbed shows how you can create an IPNS entry
+// and embed it with a public key. For ed25519 keys this is not needed
+// so attempting to embed with an ed25519 key, will not actually embed the key
+func CreateEntryWithEmbed(ipfsPath string, publicKey crypto.PubKey, privateKey crypto.PrivKey) (*pb.IpnsEntry, error) {
+	ipfsPathByte := []byte(ipfsPath)
+	eol := time.Now().Add(time.Hour * 48)
+	entry, err := ipns.Create(privateKey, ipfsPathByte, 1, eol)
+	if err != nil {
+		return nil, err
+	}
+	err = ipns.EmbedPublicKey(publicKey, entry)
+	if err != nil {
+		return nil, err
+	}
+	return entry, nil
+}
--- a/examples/examples_test.go
+++ b/examples/examples_test.go
+package examples_test
+import (
+	"testing"
+	"github.com/ipfs/go-ipns/examples"
+	crypto "github.com/libp2p/go-libp2p-core/crypto"
+)
+var testPath = "/ipfs/Qme1knMqwt1hKZbc1BmQFmnm9f36nyQGwXxPGVpVJ9rMK5"
+func TestKeyGeneration(t *testing.T) {
+	_, err := generateRSAKey()
+	if err != nil {
+		t.Error(err)
+	}
+	_, err = generateEDKey()
+	if err != nil {
+		t.Error(err)
+	}
+}
+func TestEmbeddedEntryCreation(t *testing.T) {
+	rk, err := generateRSAKey()
+	if err != nil {
+		t.Fatal(err)
+	}
+	ek, err := generateEDKey()
+	if err != nil {
+		t.Fatal(err)
+	}
+	_, err = examples.CreateEntryWithEmbed(testPath, rk.GetPublic(), rk)
+	if err != nil {
+		t.Error(err)
+	}
+	_, err = examples.CreateEntryWithEmbed(testPath, ek.GetPublic(), ek)
+	if err != nil {
+		t.Error(err)
+	}
+}
+func generateRSAKey() (crypto.PrivKey, error) {
+	k, err := examples.GenerateRSAKeyPair(2048)
+	if err != nil {
+		return nil, err
+	}
+	return k, nil
+}
+func generateEDKey() (crypto.PrivKey, error) {
+	// ED25519 uses 256bit keys, and ignore the bit param
+	k, err := examples.GenerateEDKeyPair()
+	if err != nil {
+		return nil, err
+	}
+	return k, nil
+}
--- a/examples/key.go
+++ b/examples/key.go
+package examples
+import (
+	crypto "github.com/libp2p/go-libp2p-core/crypto"
+)
+// GenerateRSAKeyPair is used to generate an RSA key pair
+func GenerateRSAKeyPair(bits int) (crypto.PrivKey, error) {
+	priv, _, err := crypto.GenerateKeyPair(crypto.RSA, bits)
+	if err != nil {
+		return nil, err
+	}
+	return priv, nil
+}
+// GenerateEDKeyPair is used to generate an ED25519 keypair
+func GenerateEDKeyPair() (crypto.PrivKey, error) {
+	// ED25519 ignores the bit param and uses 256bit keys
+	priv, _, err := crypto.GenerateKeyPair(crypto.Ed25519, 256)
+	if err != nil {
+		return nil, err
+	}
+	return priv, nil
+}
--- a/go.mod
+++ b/go.mod
+module github.com/ipfs/go-ipns
+require (
+	github.com/gogo/protobuf v1.3.1
+	github.com/ipfs/go-ipfs-util v0.0.1
+	github.com/ipfs/go-log v0.0.1
+	github.com/libp2p/go-libp2p-core v0.2.5
+	github.com/libp2p/go-libp2p-peerstore v0.1.4
+	github.com/libp2p/go-libp2p-record v0.1.2
+)
+go 1.12
--- a/go.sum
+++ b/go.sum
--- a/ipns.go
+++ b/ipns.go
+package ipns
+import (
+	"bytes"
+	"fmt"
+	"time"
+	pb "github.com/ipfs/go-ipns/pb"
+	u "github.com/ipfs/go-ipfs-util"
+	ic "github.com/libp2p/go-libp2p-core/crypto"
+	peer "github.com/libp2p/go-libp2p-core/peer"
+)
+// Create creates a new IPNS entry and signs it with the given private key.
+//
+// This function does not embed the public key. If you want to do that, use
+// `EmbedPublicKey`.
+func Create(sk ic.PrivKey, val []byte, seq uint64, eol time.Time) (*pb.IpnsEntry, error) {
+	entry := new(pb.IpnsEntry)
+	entry.Value = val
+	typ := pb.IpnsEntry_EOL
+	entry.ValidityType = &typ
+	entry.Sequence = &seq
+	entry.Validity = []byte(u.FormatRFC3339(eol))
+	sig, err := sk.Sign(ipnsEntryDataForSig(entry))
+	if err != nil {
+		return nil, err
+	}
+	entry.Signature = sig
+	return entry, nil
+}
+// Validates validates the given IPNS entry against the given public key.
+func Validate(pk ic.PubKey, entry *pb.IpnsEntry) error {
+	// Check the ipns record signature with the public key
+	if ok, err := pk.Verify(ipnsEntryDataForSig(entry), entry.GetSignature()); err != nil || !ok {
+		return ErrSignature
+	}
+	eol, err := GetEOL(entry)
+	if err != nil {
+		return err
+	}
+	if time.Now().After(eol) {
+		return ErrExpiredRecord
+	}
+	return nil
+}
+// GetEOL returns the EOL of this IPNS entry
+//
+// This function returns ErrUnrecognizedValidity if the validity type of the
+// record isn't EOL. Otherwise, it returns an error if it can't parse the EOL.
+func GetEOL(entry *pb.IpnsEntry) (time.Time, error) {
+	if entry.GetValidityType() != pb.IpnsEntry_EOL {
+		return time.Time{}, ErrUnrecognizedValidity
+	}
+	return u.ParseRFC3339(string(entry.GetValidity()))
+}
+// EmbedPublicKey embeds the given public key in the given ipns entry. While not
+// strictly required, some nodes (e.g., DHT servers) may reject IPNS entries
+// that don't embed their public keys as they may not be able to validate them
+// efficiently.
+func EmbedPublicKey(pk ic.PubKey, entry *pb.IpnsEntry) error {
+	// Try extracting the public key from the ID. If we can, *don't* embed
+	// it.
+	id, err := peer.IDFromPublicKey(pk)
+	if err != nil {
+		return err
+	}
+	if _, err := id.ExtractPublicKey(); err != peer.ErrNoPublicKey {
+		// Either a *real* error or nil.
+		return err
+	}
+	// We failed to extract the public key from the peer ID, embed it in the
+	// record.
+	pkBytes, err := pk.Bytes()
+	if err != nil {
+		return err
+	}
+	entry.PubKey = pkBytes
+	return nil
+}
+// ExtractPublicKey extracts a public key matching `pid` from the IPNS record,
+// if possible.
+//
+// This function returns (nil, nil) when no public key can be extracted and
+// nothing is malformed.
+func ExtractPublicKey(pid peer.ID, entry *pb.IpnsEntry) (ic.PubKey, error) {
+	if entry.PubKey != nil {
+		pk, err := ic.UnmarshalPublicKey(entry.PubKey)
+		if err != nil {
+			return nil, fmt.Errorf("unmarshaling pubkey in record: %s", err)
+		}
+		expPid, err := peer.IDFromPublicKey(pk)
+		if err != nil {
+			return nil, fmt.Errorf("could not regenerate peerID from pubkey: %s", err)
+		}
+		if pid != expPid {
+			return nil, ErrPublicKeyMismatch
+		}
+		return pk, nil
+	}
+	return pid.ExtractPublicKey()
+}
+// Compare compares two IPNS entries. It returns:
+//
+// * -1 if a is older than b
+// * 0 if a and b cannot be ordered (this doesn't mean that they are equal)
+// * +1 if a is newer than b
+//
+// It returns an error when either a or b are malformed.
+//
+// NOTE: It *does not* validate the records, the caller is responsible for calling
+// `Validate` first.
+//
+// NOTE: If a and b cannot be ordered by this function, you can determine their
+// order by comparing their serialized byte representations (using
+// `bytes.Compare`). You must do this if you are implementing a libp2p record
+// validator (or you can just use the one provided for you by this package).
+func Compare(a, b *pb.IpnsEntry) (int, error) {
+	as := a.GetSequence()
+	bs := b.GetSequence()
+	if as > bs {
+		return 1, nil
+	} else if as < bs {
+		return -1, nil
+	}
+	at, err := u.ParseRFC3339(string(a.GetValidity()))
+	if err != nil {
+		return 0, err
+	}
+	bt, err := u.ParseRFC3339(string(b.GetValidity()))
+	if err != nil {
+		return 0, err
+	}
+	if at.After(bt) {
+		return 1, nil
+	} else if bt.After(at) {
+		return -1, nil
+	}
+	return 0, nil
+}
+func ipnsEntryDataForSig(e *pb.IpnsEntry) []byte {
+	return bytes.Join([][]byte{
+		e.Value,
+		e.Validity,
+		[]byte(fmt.Sprint(e.GetValidityType())),
+	},
+		[]byte{})
+}
--- a/ipns_test.go
+++ b/ipns_test.go
+package ipns
+import (
+	"fmt"
+	"testing"
+	"time"
+	u "github.com/ipfs/go-ipfs-util"
+	ci "github.com/libp2p/go-libp2p-core/crypto"
+	peer "github.com/libp2p/go-libp2p-core/peer"
+)
+func TestEmbedPublicKey(t *testing.T) {
+	sr := u.NewTimeSeededRand()
+	priv, pub, err := ci.GenerateKeyPairWithReader(ci.RSA, 2048, sr)
+	if err != nil {
+		t.Fatal(err)
+	}
+	pid, err := peer.IDFromPublicKey(pub)
+	if err != nil {
+		t.Fatal(err)
+	}
+	e, err := Create(priv, []byte("/a/b"), 0, time.Now().Add(1*time.Hour))
+	if err != nil {
+		t.Fatal(err)
+	}
+	if err := EmbedPublicKey(pub, e); err != nil {
+		t.Fatal(err)
+	}
+	embeddedPk, err := ci.UnmarshalPublicKey(e.PubKey)
+	if err != nil {
+		t.Fatal(err)
+	}
+	embeddedPid, err := peer.IDFromPublicKey(embeddedPk)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if embeddedPid != pid {
+		t.Fatalf("pid mismatch: %s != %s", pid, embeddedPid)
+	}
+}
+func ExampleCreate() {
+	// Generate a private key to sign the IPNS record with. Most of the time,
+	// however, you'll want to retrieve an already-existing key from IPFS using
+	// go-ipfs/core/coreapi CoreAPI.KeyAPI() interface.
+	privateKey, _, err := ci.GenerateKeyPair(ci.RSA, 2048)
+	if err != nil {
+		panic(err)
+	}
+	// Create an IPNS record that expires in one hour and points to the IPFS address
+	// /ipfs/Qme1knMqwt1hKZbc1BmQFmnm9f36nyQGwXxPGVpVJ9rMK5
+	ipnsRecord, err := Create(privateKey, []byte("/ipfs/Qme1knMqwt1hKZbc1BmQFmnm9f36nyQGwXxPGVpVJ9rMK5"), 0, time.Now().Add(1*time.Hour))
+	if err != nil {
+		panic(err)
+	}
+	fmt.Println(ipnsRecord)
+}
--- a/pb/Makefile
+++ b/pb/Makefile
+PB = $(wildcard *.proto)
+GO = $(PB:.proto=.pb.go)
+all: $(GO)
+%.pb.go: %.proto
+		protoc --proto_path=$(GOPATH)/src:. --gogofast_out=. $<
+clean:
+		rm -f *.pb.go
+		rm -f *.go
--- a/pb/ipns.pb.go
+++ b/pb/ipns.pb.go
+// Code generated by protoc-gen-gogo. DO NOT EDIT.
+// source: ipns.proto
+package ipns_pb
+import (
+	fmt "fmt"
+	github_com_gogo_protobuf_proto "github.com/gogo/protobuf/proto"
+	proto "github.com/gogo/protobuf/proto"
+	io "io"
+	math "math"
+	math_bits "math/bits"
+)
+// Reference imports to suppress errors if they are not otherwise used.
+var _ = proto.Marshal
+var _ = fmt.Errorf
+var _ = math.Inf
+// This is a compile-time assertion to ensure that this generated file
+// is compatible with the proto package it is being compiled against.
+// A compilation error at this line likely means your copy of the
+// proto package needs to be updated.
+const _ = proto.GoGoProtoPackageIsVersion3 // please upgrade the proto package
+type IpnsEntry_ValidityType int32
+const (
+	// setting an EOL says "this record is valid until..."
+	IpnsEntry_EOL IpnsEntry_ValidityType = 0
+)
+var IpnsEntry_ValidityType_name = map[int32]string{
+	0: "EOL",
+}
+var IpnsEntry_ValidityType_value = map[string]int32{
+	"EOL": 0,
+}
+func (x IpnsEntry_ValidityType) Enum() *IpnsEntry_ValidityType {
+	p := new(IpnsEntry_ValidityType)
+	*p = x
+	return p
+}
+func (x IpnsEntry_ValidityType) String() string {
+	return proto.EnumName(IpnsEntry_ValidityType_name, int32(x))
+}
+func (x *IpnsEntry_ValidityType) UnmarshalJSON(data []byte) error {
+	value, err := proto.UnmarshalJSONEnum(IpnsEntry_ValidityType_value, data, "IpnsEntry_ValidityType")
+	if err != nil {
+		return err
+	}
+	*x = IpnsEntry_ValidityType(value)
+	return nil
+}
+func (IpnsEntry_ValidityType) EnumDescriptor() ([]byte, []int) {
+	return fileDescriptor_4d5b16fb32bfe8ea, []int{0, 0}
+}
+type IpnsEntry struct {
+	Value        []byte                  `protobuf:"bytes,1,req,name=value" json:"value,omitempty"`
+	Signature    []byte                  `protobuf:"bytes,2,req,name=signature" json:"signature,omitempty"`
+	ValidityType *IpnsEntry_ValidityType `protobuf:"varint,3,opt,name=validityType,enum=ipns.pb.IpnsEntry_ValidityType" json:"validityType,omitempty"`
+	Validity     []byte                  `protobuf:"bytes,4,opt,name=validity" json:"validity,omitempty"`
+	Sequence     *uint64                 `protobuf:"varint,5,opt,name=sequence" json:"sequence,omitempty"`
+	Ttl          *uint64                 `protobuf:"varint,6,opt,name=ttl" json:"ttl,omitempty"`
+	// in order for nodes to properly validate a record upon receipt, they need the public
+	// key associated with it. For old RSA keys, its easiest if we just send this as part of
+	// the record itself. For newer ed25519 keys, the public key can be embedded in the
+	// peerID, making this field unnecessary.
+	PubKey               []byte   `protobuf:"bytes,7,opt,name=pubKey" json:"pubKey,omitempty"`
+	XXX_NoUnkeyedLiteral struct{} `json:"-"`
+	XXX_unrecognized     []byte   `json:"-"`
+	XXX_sizecache        int32    `json:"-"`
+}
+func (m *IpnsEntry) Reset()         { *m = IpnsEntry{} }
+func (m *IpnsEntry) String() string { return proto.CompactTextString(m) }
+func (*IpnsEntry) ProtoMessage()    {}
+func (*IpnsEntry) Descriptor() ([]byte, []int) {
+	return fileDescriptor_4d5b16fb32bfe8ea, []int{0}
+}
+func (m *IpnsEntry) XXX_Unmarshal(b []byte) error {
+	return m.Unmarshal(b)
+}
+func (m *IpnsEntry) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
+	if deterministic {
+		return xxx_messageInfo_IpnsEntry.Marshal(b, m, deterministic)
+	} else {
+		b = b[:cap(b)]
+		n, err := m.MarshalToSizedBuffer(b)
+		if err != nil {
+			return nil, err
+		}
+		return b[:n], nil
+	}
+}
+func (m *IpnsEntry) XXX_Merge(src proto.Message) {
+	xxx_messageInfo_IpnsEntry.Merge(m, src)
+}
+func (m *IpnsEntry) XXX_Size() int {
+	return m.Size()
+}
+func (m *IpnsEntry) XXX_DiscardUnknown() {
+	xxx_messageInfo_IpnsEntry.DiscardUnknown(m)
+}
+var xxx_messageInfo_IpnsEntry proto.InternalMessageInfo
+func (m *IpnsEntry) GetValue() []byte {
+	if m != nil {
+		return m.Value
+	}
+	return nil
+}
+func (m *IpnsEntry) GetSignature() []byte {
+	if m != nil {
+		return m.Signature
+	}
+	return nil
+}
+func (m *IpnsEntry) GetValidityType() IpnsEntry_ValidityType {
+	if m != nil && m.ValidityType != nil {
+		return *m.ValidityType
+	}
+	return IpnsEntry_EOL
+}
+func (m *IpnsEntry) GetValidity() []byte {
+	if m != nil {
+		return m.Validity
+	}
+	return nil
+}
+func (m *IpnsEntry) GetSequence() uint64 {
+	if m != nil && m.Sequence != nil {
+		return *m.Sequence
+	}
+	return 0
+}
+func (m *IpnsEntry) GetTtl() uint64 {
+	if m != nil && m.Ttl != nil {
+		return *m.Ttl
+	}
+	return 0
+}
+func (m *IpnsEntry) GetPubKey() []byte {
+	if m != nil {
+		return m.PubKey
+	}
+	return nil
+}
+func init() {
+	proto.RegisterEnum("ipns.pb.IpnsEntry_ValidityType", IpnsEntry_ValidityType_name, IpnsEntry_ValidityType_value)
+	proto.RegisterType((*IpnsEntry)(nil), "ipns.pb.IpnsEntry")
+}
+func init() { proto.RegisterFile("ipns.proto", fileDescriptor_4d5b16fb32bfe8ea) }
+var fileDescriptor_4d5b16fb32bfe8ea = []byte{
+	// 221 bytes of a gzipped FileDescriptorProto
+	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xe2, 0xe2, 0xca, 0x2c, 0xc8, 0x2b,
+	0xd6, 0x2b, 0x28, 0xca, 0x2f, 0xc9, 0x17, 0x62, 0x87, 0xb0, 0x93, 0x94, 0xfe, 0x33, 0x72, 0x71,
+	0x7a, 0x16, 0xe4, 0x15, 0xbb, 0xe6, 0x95, 0x14, 0x55, 0x0a, 0x89, 0x70, 0xb1, 0x96, 0x25, 0xe6,
+	0x94, 0xa6, 0x4a, 0x30, 0x2a, 0x30, 0x69, 0xf0, 0x04, 0x41, 0x38, 0x42, 0x32, 0x5c, 0x9c, 0xc5,
+	0x99, 0xe9, 0x79, 0x89, 0x25, 0xa5, 0x45, 0xa9, 0x12, 0x4c, 0x60, 0x19, 0x84, 0x80, 0x90, 0x33,
+	0x17, 0x4f, 0x59, 0x62, 0x4e, 0x66, 0x4a, 0x66, 0x49, 0x65, 0x48, 0x65, 0x41, 0xaa, 0x04, 0xb3,
+	0x02, 0xa3, 0x06, 0x9f, 0x91, 0xbc, 0x1e, 0xd4, 0x06, 0x3d, 0xb8, 0xe9, 0x7a, 0x61, 0x48, 0xca,
+	0x82, 0x50, 0x34, 0x09, 0x49, 0x71, 0x71, 0xc0, 0xf8, 0x12, 0x2c, 0x0a, 0x8c, 0x1a, 0x3c, 0x41,
+	0x70, 0x3e, 0x48, 0xae, 0x38, 0xb5, 0xb0, 0x34, 0x35, 0x2f, 0x39, 0x55, 0x82, 0x55, 0x81, 0x51,
+	0x83, 0x25, 0x08, 0xce, 0x17, 0x12, 0xe0, 0x62, 0x2e, 0x29, 0xc9, 0x91, 0x60, 0x03, 0x0b, 0x83,
+	0x98, 0x42, 0x62, 0x5c, 0x6c, 0x05, 0xa5, 0x49, 0xde, 0xa9, 0x95, 0x12, 0xec, 0x60, 0x73, 0xa0,
+	0x3c, 0x25, 0x71, 0x2e, 0x1e, 0x64, 0xfb, 0x85, 0xd8, 0xb9, 0x98, 0x5d, 0xfd, 0x7d, 0x04, 0x18,
+	0x9c, 0x78, 0x4e, 0x3c, 0x92, 0x63, 0xbc, 0xf0, 0x48, 0x8e, 0xf1, 0xc1, 0x23, 0x39, 0x46, 0x40,
+	0x00, 0x00, 0x00, 0xff, 0xff, 0x32, 0x35, 0xc7, 0xf2, 0x25, 0x01, 0x00, 0x00,
+}
+func (m *IpnsEntry) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalToSizedBuffer(dAtA[:size])
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+func (m *IpnsEntry) MarshalTo(dAtA []byte) (int, error) {
+	size := m.Size()
+	return m.MarshalToSizedBuffer(dAtA[:size])
+}
+func (m *IpnsEntry) MarshalToSizedBuffer(dAtA []byte) (int, error) {
+	i := len(dAtA)
+	_ = i
+	var l int
+	_ = l
+	if m.XXX_unrecognized != nil {
+		i -= len(m.XXX_unrecognized)
+		copy(dAtA[i:], m.XXX_unrecognized)
+	}
+	if m.PubKey != nil {
+		i -= len(m.PubKey)
+		copy(dAtA[i:], m.PubKey)
+		i = encodeVarintIpns(dAtA, i, uint64(len(m.PubKey)))
+		i--
+		dAtA[i] = 0x3a
+	}
+	if m.Ttl != nil {
+		i = encodeVarintIpns(dAtA, i, uint64(*m.Ttl))
+		i--
+		dAtA[i] = 0x30
+	}
+	if m.Sequence != nil {
+		i = encodeVarintIpns(dAtA, i, uint64(*m.Sequence))
+		i--
+		dAtA[i] = 0x28
+	}
+	if m.Validity != nil {
+		i -= len(m.Validity)
+		copy(dAtA[i:], m.Validity)
+		i = encodeVarintIpns(dAtA, i, uint64(len(m.Validity)))
+		i--
+		dAtA[i] = 0x22
+	}
+	if m.ValidityType != nil {
+		i = encodeVarintIpns(dAtA, i, uint64(*m.ValidityType))
+		i--
+		dAtA[i] = 0x18
+	}
+	if m.Signature == nil {
+		return 0, github_com_gogo_protobuf_proto.NewRequiredNotSetError("signature")
+	} else {
+		i -= len(m.Signature)
+		copy(dAtA[i:], m.Signature)
+		i = encodeVarintIpns(dAtA, i, uint64(len(m.Signature)))
+		i--
+		dAtA[i] = 0x12
+	}
+	if m.Value == nil {
+		return 0, github_com_gogo_protobuf_proto.NewRequiredNotSetError("value")
+	} else {
+		i -= len(m.Value)
+		copy(dAtA[i:], m.Value)
+		i = encodeVarintIpns(dAtA, i, uint64(len(m.Value)))
+		i--
+		dAtA[i] = 0xa
+	}
+	return len(dAtA) - i, nil
+}
+func encodeVarintIpns(dAtA []byte, offset int, v uint64) int {
+	offset -= sovIpns(v)
+	base := offset
+	for v >= 1<<7 {
+		dAtA[offset] = uint8(v&0x7f | 0x80)
+		v >>= 7
+		offset++
+	}
+	dAtA[offset] = uint8(v)
+	return base
+}
+func (m *IpnsEntry) Size() (n int) {
+	if m == nil {
+		return 0
+	}
+	var l int
+	_ = l
+	if m.Value != nil {
+		l = len(m.Value)
+		n += 1 + l + sovIpns(uint64(l))
+	}
+	if m.Signature != nil {
+		l = len(m.Signature)
+		n += 1 + l + sovIpns(uint64(l))
+	}
+	if m.ValidityType != nil {
+		n += 1 + sovIpns(uint64(*m.ValidityType))
+	}
+	if m.Validity != nil {
+		l = len(m.Validity)
+		n += 1 + l + sovIpns(uint64(l))
+	}
+	if m.Sequence != nil {
+		n += 1 + sovIpns(uint64(*m.Sequence))
+	}
+	if m.Ttl != nil {
+		n += 1 + sovIpns(uint64(*m.Ttl))
+	}
+	if m.PubKey != nil {
+		l = len(m.PubKey)
+		n += 1 + l + sovIpns(uint64(l))
+	}
+	if m.XXX_unrecognized != nil {
+		n += len(m.XXX_unrecognized)
+	}
+	return n
+}
+func sovIpns(x uint64) (n int) {
+	return (math_bits.Len64(x|1) + 6) / 7
+}
+func sozIpns(x uint64) (n int) {
+	return sovIpns(uint64((x << 1) ^ uint64((int64(x) >> 63))))
+}
+func (m *IpnsEntry) Unmarshal(dAtA []byte) error {
+	var hasFields [1]uint64
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowIpns
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= uint64(b&0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: IpnsEntry: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: IpnsEntry: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Value", wireType)
+			}
+			var byteLen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowIpns
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				byteLen |= int(b&0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if byteLen < 0 {
+				return ErrInvalidLengthIpns
+			}
+			postIndex := iNdEx + byteLen
+			if postIndex < 0 {
+				return ErrInvalidLengthIpns
+			}
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Value = append(m.Value[:0], dAtA[iNdEx:postIndex]...)
+			if m.Value == nil {
+				m.Value = []byte{}
+			}
+			iNdEx = postIndex
+			hasFields[0] |= uint64(0x00000001)
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Signature", wireType)
+			}
+			var byteLen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowIpns
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				byteLen |= int(b&0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if byteLen < 0 {
+				return ErrInvalidLengthIpns
+			}
+			postIndex := iNdEx + byteLen
+			if postIndex < 0 {
+				return ErrInvalidLengthIpns
+			}
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Signature = append(m.Signature[:0], dAtA[iNdEx:postIndex]...)
+			if m.Signature == nil {
+				m.Signature = []byte{}
+			}
+			iNdEx = postIndex
+			hasFields[0] |= uint64(0x00000002)
+		case 3:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ValidityType", wireType)
+			}
+			var v IpnsEntry_ValidityType
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowIpns
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				v |= IpnsEntry_ValidityType(b&0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			m.ValidityType = &v
+		case 4:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Validity", wireType)
+			}
+			var byteLen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowIpns
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				byteLen |= int(b&0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if byteLen < 0 {
+				return ErrInvalidLengthIpns
+			}
+			postIndex := iNdEx + byteLen
+			if postIndex < 0 {
+				return ErrInvalidLengthIpns
+			}
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Validity = append(m.Validity[:0], dAtA[iNdEx:postIndex]...)
+			if m.Validity == nil {
+				m.Validity = []byte{}
+			}
+			iNdEx = postIndex
+		case 5:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Sequence", wireType)
+			}
+			var v uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowIpns
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				v |= uint64(b&0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			m.Sequence = &v
+		case 6:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Ttl", wireType)
+			}
+			var v uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowIpns
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				v |= uint64(b&0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			m.Ttl = &v
+		case 7:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field PubKey", wireType)
+			}
+			var byteLen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowIpns
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				byteLen |= int(b&0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if byteLen < 0 {
+				return ErrInvalidLengthIpns
+			}
+			postIndex := iNdEx + byteLen
+			if postIndex < 0 {
+				return ErrInvalidLengthIpns
+			}
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.PubKey = append(m.PubKey[:0], dAtA[iNdEx:postIndex]...)
+			if m.PubKey == nil {
+				m.PubKey = []byte{}
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipIpns(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthIpns
+			}
+			if (iNdEx + skippy) < 0 {
+				return ErrInvalidLengthIpns
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.XXX_unrecognized = append(m.XXX_unrecognized, dAtA[iNdEx:iNdEx+skippy]...)
+			iNdEx += skippy
+		}
+	}
+	if hasFields[0]&uint64(0x00000001) == 0 {
+		return github_com_gogo_protobuf_proto.NewRequiredNotSetError("value")
+	}
+	if hasFields[0]&uint64(0x00000002) == 0 {
+		return github_com_gogo_protobuf_proto.NewRequiredNotSetError("signature")
+	}
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func skipIpns(dAtA []byte) (n int, err error) {
+	l := len(dAtA)
+	iNdEx := 0
+	depth := 0
+	for iNdEx < l {
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return 0, ErrIntOverflowIpns
+			}
+			if iNdEx >= l {
+				return 0, io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		wireType := int(wire & 0x7)
+		switch wireType {
+		case 0:
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return 0, ErrIntOverflowIpns
+				}
+				if iNdEx >= l {
+					return 0, io.ErrUnexpectedEOF
+				}
+				iNdEx++
+				if dAtA[iNdEx-1] < 0x80 {
+					break
+				}
+			}
+		case 1:
+			iNdEx += 8
+		case 2:
+			var length int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return 0, ErrIntOverflowIpns
+				}
+				if iNdEx >= l {
+					return 0, io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				length |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if length < 0 {
+				return 0, ErrInvalidLengthIpns
+			}
+			iNdEx += length
+			if iNdEx < 0 {
+				return 0, ErrInvalidLengthIpns
+			}
+		case 3:
+			depth++
+		case 4:
+			if depth == 0 {
+				return 0, ErrUnexpectedEndOfGroupIpns
+			}
+			depth--
+		case 5:
+			iNdEx += 4
+		default:
+			return 0, fmt.Errorf("proto: illegal wireType %d", wireType)
+		}
+		if depth == 0 {
+			return iNdEx, nil
+		}
+	}
+	return 0, io.ErrUnexpectedEOF
+}
+var (
+	ErrInvalidLengthIpns        = fmt.Errorf("proto: negative length found during unmarshaling")
+	ErrIntOverflowIpns          = fmt.Errorf("proto: integer overflow")
+	ErrUnexpectedEndOfGroupIpns = fmt.Errorf("proto: unexpected end of group")
+)
--- a/pb/ipns.proto
+++ b/pb/ipns.proto
+syntax = "proto2";
+package ipns.pb;
+message IpnsEntry {
+	enum ValidityType {
+		// setting an EOL says "this record is valid until..."
+		EOL = 0;
+	}
+	required bytes value = 1;
+	required bytes signature = 2;
+	optional ValidityType validityType = 3;
+	optional bytes validity = 4;
+	optional uint64 sequence = 5;
+	optional uint64 ttl = 6;
+	// in order for nodes to properly validate a record upon receipt, they need the public
+	// key associated with it. For old RSA keys, its easiest if we just send this as part of
+	// the record itself. For newer ed25519 keys, the public key can be embedded in the
+	// peerID, making this field unnecessary.
+	optional bytes pubKey = 7;
+}
--- a/record.go
+++ b/record.go
+package ipns
+import (
+	"bytes"
+	"errors"
+	pb "github.com/ipfs/go-ipns/pb"
+	proto "github.com/gogo/protobuf/proto"
+	logging "github.com/ipfs/go-log"
+	ic "github.com/libp2p/go-libp2p-core/crypto"
+	peer "github.com/libp2p/go-libp2p-core/peer"
+	pstore "github.com/libp2p/go-libp2p-core/peerstore"
+	record "github.com/libp2p/go-libp2p-record"
+)
+var log = logging.Logger("ipns")
+var _ record.Validator = Validator{}
+// RecordKey returns the libp2p record key for a given peer ID.
+func RecordKey(pid peer.ID) string {
+	return "/ipns/" + string(pid)
+}
+// Validator is an IPNS record validator that satisfies the libp2p record
+// validator interface.
+type Validator struct {
+	// KeyBook, if non-nil, will be used to lookup keys for validating IPNS
+	// records.
+	KeyBook pstore.KeyBook
+}
+// Validate validates an IPNS record.
+func (v Validator) Validate(key string, value []byte) error {
+	ns, pidString, err := record.SplitKey(key)
+	if err != nil || ns != "ipns" {
+		return ErrInvalidPath
+	}
+	// Parse the value into an IpnsEntry
+	entry := new(pb.IpnsEntry)
+	err = proto.Unmarshal(value, entry)
+	if err != nil {
+		return ErrBadRecord
+	}
+	// Get the public key defined by the ipns path
+	pid, err := peer.IDFromString(pidString)
+	if err != nil {
+		log.Debugf("failed to parse ipns record key %s into peer ID", pidString)
+		return ErrKeyFormat
+	}
+	pubk, err := v.getPublicKey(pid, entry)
+	if err != nil {
+		return err
+	}
+	return Validate(pubk, entry)
+}
+func (v Validator) getPublicKey(pid peer.ID, entry *pb.IpnsEntry) (ic.PubKey, error) {
+	switch pk, err := ExtractPublicKey(pid, entry); err {
+	case peer.ErrNoPublicKey:
+	case nil:
+		return pk, nil
+	default:
+		return nil, err
+	}
+	if v.KeyBook == nil {
+		log.Debugf("public key with hash %s not found in IPNS record and no peer store provided", pid)
+		return nil, ErrPublicKeyNotFound
+	}
+	pubk := v.KeyBook.PubKey(pid)
+	if pubk == nil {
+		log.Debugf("public key with hash %s not found in peer store", pid)
+		return nil, ErrPublicKeyNotFound
+	}
+	return pubk, nil
+}
+// Select selects the best record by checking which has the highest sequence
+// number and latest EOL.
+//
+// This function returns an error if any of the records fail to parse. Validate
+// your records first!
+func (v Validator) Select(k string, vals [][]byte) (int, error) {
+	var recs []*pb.IpnsEntry
+	for _, v := range vals {
+		e := new(pb.IpnsEntry)
+		if err := proto.Unmarshal(v, e); err != nil {
+			return -1, err
+		}
+		recs = append(recs, e)
+	}
+	return selectRecord(recs, vals)
+}
+func selectRecord(recs []*pb.IpnsEntry, vals [][]byte) (int, error) {
+	switch len(recs) {
+	case 0:
+		return -1, errors.New("no usable records in given set")
+	case 1:
+		return 0, nil
+	}
+	var i int
+	for j := 1; j < len(recs); j++ {
+		cmp, err := Compare(recs[i], recs[j])
+		if err != nil {
+			return -1, err
+		}
+		if cmp == 0 {
+			cmp = bytes.Compare(vals[i], vals[j])
+		}
+		if cmp < 0 {
+			i = j
+		}
+	}
+	return i, nil
+}
--- a/select_test.go
+++ b/select_test.go
+package ipns
+import (
+	"fmt"
+	"math/rand"
+	"testing"
+	"time"
+	pb "github.com/ipfs/go-ipns/pb"
+	proto "github.com/gogo/protobuf/proto"
+	u "github.com/ipfs/go-ipfs-util"
+	ci "github.com/libp2p/go-libp2p-core/crypto"
+)
+func shuffle(a []*pb.IpnsEntry) {
+	for n := 0; n < 5; n++ {
+		for i, _ := range a {
+			j := rand.Intn(len(a))
+			a[i], a[j] = a[j], a[i]
+		}
+	}
+}
+func AssertSelected(r *pb.IpnsEntry, from ...*pb.IpnsEntry) error {
+	shuffle(from)
+	var vals [][]byte
+	for _, r := range from {
+		data, err := proto.Marshal(r)
+		if err != nil {
+			return err
+		}
+		vals = append(vals, data)
+	}
+	i, err := selectRecord(from, vals)
+	if err != nil {
+		return err
+	}
+	if from[i] != r {
+		return fmt.Errorf("selected incorrect record %d", i)
+	}
+	return nil
+}
+func TestOrdering(t *testing.T) {
+	// select timestamp so selection is deterministic
+	ts := time.Unix(1000000, 0)
+	// generate a key for signing the records
+	r := u.NewSeededRand(15) // generate deterministic keypair
+	priv, _, err := ci.GenerateKeyPairWithReader(ci.RSA, 2048, r)
+	if err != nil {
+		t.Fatal(err)
+	}
+	e1, err := Create(priv, []byte("foo"), 1, ts.Add(time.Hour))
+	if err != nil {
+		t.Fatal(err)
+	}
+	e2, err := Create(priv, []byte("bar"), 2, ts.Add(time.Hour))
+	if err != nil {
+		t.Fatal(err)
+	}
+	e3, err := Create(priv, []byte("baz"), 3, ts.Add(time.Hour))
+	if err != nil {
+		t.Fatal(err)
+	}
+	e4, err := Create(priv, []byte("cat"), 3, ts.Add(time.Hour*2))
+	if err != nil {
+		t.Fatal(err)
+	}
+	e5, err := Create(priv, []byte("dog"), 4, ts.Add(time.Hour*3))
+	if err != nil {
+		t.Fatal(err)
+	}
+	e6, err := Create(priv, []byte("fish"), 4, ts.Add(time.Hour*3))
+	if err != nil {
+		t.Fatal(err)
+	}
+	// e1 is the only record, i hope it gets this right
+	err = AssertSelected(e1, e1)
+	if err != nil {
+		t.Fatal(err)
+	}
+	// e2 has the highest sequence number
+	err = AssertSelected(e2, e1, e2)
+	if err != nil {
+		t.Fatal(err)
+	}
+	// e3 has the highest sequence number
+	err = AssertSelected(e3, e1, e2, e3)
+	if err != nil {
+		t.Fatal(err)
+	}
+	// e4 has a higher timeout
+	err = AssertSelected(e4, e1, e2, e3, e4)
+	if err != nil {
+		t.Fatal(err)
+	}
+	// e5 has the highest sequence number
+	err = AssertSelected(e5, e1, e2, e3, e4, e5)
+	if err != nil {
+		t.Fatal(err)
+	}
+	// e6 should be selected as its signauture will win in the comparison
+	err = AssertSelected(e6, e1, e2, e3, e4, e5, e6)
+	if err != nil {
+		t.Fatal(err)
+	}
+	_ = []interface{}{e1, e2, e3, e4, e5, e6}
+}
--- a/validate_test.go
+++ b/validate_test.go
+package ipns
+import (
+	"fmt"
+	"math/rand"
+	"strings"
+	"testing"
+	"time"
+	pb "github.com/ipfs/go-ipns/pb"
+	proto "github.com/gogo/protobuf/proto"
+	u "github.com/ipfs/go-ipfs-util"
+	ci "github.com/libp2p/go-libp2p-core/crypto"
+	peer "github.com/libp2p/go-libp2p-core/peer"
+	pstore "github.com/libp2p/go-libp2p-core/peerstore"
+	pstoremem "github.com/libp2p/go-libp2p-peerstore/pstoremem"
+)
+func testValidatorCase(t *testing.T, priv ci.PrivKey, kbook pstore.KeyBook, key string, val []byte, eol time.Time, exp error) {
+	t.Helper()
+	match := func(t *testing.T, err error) {
+		t.Helper()
+		if err != exp {
+			params := fmt.Sprintf("key: %s\neol: %s\n", key, eol)
+			if exp == nil {
+				t.Fatalf("Unexpected error %s for params %s", err, params)
+			} else if err == nil {
+				t.Fatalf("Expected error %s but there was no error for params %s", exp, params)
+			} else {
+				t.Fatalf("Expected error %s but got %s for params %s", exp, err, params)
+			}
+		}
+	}
+	testValidatorCaseMatchFunc(t, priv, kbook, key, val, eol, match)
+}
+func testValidatorCaseMatchFunc(t *testing.T, priv ci.PrivKey, kbook pstore.KeyBook, key string, val []byte, eol time.Time, matchf func(*testing.T, error)) {
+	t.Helper()
+	validator := Validator{kbook}
+	data := val
+	if data == nil {
+		p := []byte("/ipfs/QmfM2r8seH2GiRaC4esTjeraXEachRt8ZsSeGaWTPLyMoG")
+		entry, err := Create(priv, p, 1, eol)
+		if err != nil {
+			t.Fatal(err)
+		}
+		data, err = proto.Marshal(entry)
+		if err != nil {
+			t.Fatal(err)
+		}
+	}
+	matchf(t, validator.Validate(key, data))
+}
+func TestValidator(t *testing.T) {
+	ts := time.Now()
+	priv, id, _ := genKeys(t)
+	priv2, id2, _ := genKeys(t)
+	kbook := pstoremem.NewPeerstore()
+	kbook.AddPubKey(id, priv.GetPublic())
+	emptyKbook := pstoremem.NewPeerstore()
+	testValidatorCase(t, priv, kbook, "/ipns/"+string(id), nil, ts.Add(time.Hour), nil)
+	testValidatorCase(t, priv, kbook, "/ipns/"+string(id), nil, ts.Add(time.Hour*-1), ErrExpiredRecord)
+	testValidatorCase(t, priv, kbook, "/ipns/"+string(id), []byte("bad data"), ts.Add(time.Hour), ErrBadRecord)
+	testValidatorCase(t, priv, kbook, "/ipns/"+"bad key", nil, ts.Add(time.Hour), ErrKeyFormat)
+	testValidatorCase(t, priv, emptyKbook, "/ipns/"+string(id), nil, ts.Add(time.Hour), ErrPublicKeyNotFound)
+	testValidatorCase(t, priv2, kbook, "/ipns/"+string(id2), nil, ts.Add(time.Hour), ErrPublicKeyNotFound)
+	testValidatorCase(t, priv2, kbook, "/ipns/"+string(id), nil, ts.Add(time.Hour), ErrSignature)
+	testValidatorCase(t, priv, kbook, "//"+string(id), nil, ts.Add(time.Hour), ErrInvalidPath)
+	testValidatorCase(t, priv, kbook, "/wrong/"+string(id), nil, ts.Add(time.Hour), ErrInvalidPath)
+}
+func mustMarshal(t *testing.T, entry *pb.IpnsEntry) []byte {
+	t.Helper()
+	data, err := proto.Marshal(entry)
+	if err != nil {
+		t.Fatal(err)
+	}
+	return data
+}
+func TestEmbeddedPubKeyValidate(t *testing.T) {
+	goodeol := time.Now().Add(time.Hour)
+	kbook := pstoremem.NewPeerstore()
+	pth := []byte("/ipfs/QmfM2r8seH2GiRaC4esTjeraXEachRt8ZsSeGaWTPLyMoG")
+	priv, _, ipnsk := genKeys(t)
+	entry, err := Create(priv, pth, 1, goodeol)
+	if err != nil {
+		t.Fatal(err)
+	}
+	testValidatorCase(t, priv, kbook, ipnsk, mustMarshal(t, entry), goodeol, ErrPublicKeyNotFound)
+	pubkb, err := priv.GetPublic().Bytes()
+	if err != nil {
+		t.Fatal(err)
+	}
+	entry.PubKey = pubkb
+	testValidatorCase(t, priv, kbook, ipnsk, mustMarshal(t, entry), goodeol, nil)
+	entry.PubKey = []byte("probably not a public key")
+	testValidatorCaseMatchFunc(t, priv, kbook, ipnsk, mustMarshal(t, entry), goodeol, func(t *testing.T, err error) {
+		if !strings.Contains(err.Error(), "unmarshaling pubkey in record:") {
+			t.Fatal("expected pubkey unmarshaling to fail")
+		}
+	})
+	opriv, _, _ := genKeys(t)
+	wrongkeydata, err := opriv.GetPublic().Bytes()
+	if err != nil {
+		t.Fatal(err)
+	}
+	entry.PubKey = wrongkeydata
+	testValidatorCase(t, priv, kbook, ipnsk, mustMarshal(t, entry), goodeol, ErrPublicKeyMismatch)
+}
+func TestPeerIDPubKeyValidate(t *testing.T) {
+	t.Skip("disabled until libp2p/go-libp2p-crypto#51 is fixed")
+	goodeol := time.Now().Add(time.Hour)
+	kbook := pstoremem.NewPeerstore()
+	pth := []byte("/ipfs/QmfM2r8seH2GiRaC4esTjeraXEachRt8ZsSeGaWTPLyMoG")
+	sk, pk, err := ci.GenerateEd25519Key(rand.New(rand.NewSource(42)))
+	if err != nil {
+		t.Fatal(err)
+	}
+	pid, err := peer.IDFromPublicKey(pk)
+	if err != nil {
+		t.Fatal(err)
+	}
+	ipnsk := "/ipns/" + string(pid)
+	entry, err := Create(sk, pth, 1, goodeol)
+	if err != nil {
+		t.Fatal(err)
+	}
+	dataNoKey, err := proto.Marshal(entry)
+	if err != nil {
+		t.Fatal(err)
+	}
+	testValidatorCase(t, sk, kbook, ipnsk, dataNoKey, goodeol, nil)
+}
+func genKeys(t *testing.T) (ci.PrivKey, peer.ID, string) {
+	sr := u.NewTimeSeededRand()
+	priv, _, err := ci.GenerateKeyPairWithReader(ci.RSA, 2048, sr)
+	if err != nil {
+		t.Fatal(err)
+	}
+	// Create entry with expiry in one hour
+	pid, err := peer.IDFromPrivateKey(priv)
+	if err != nil {
+		t.Fatal(err)
+	}
+	ipnsKey := RecordKey(pid)
+	return priv, pid, ipnsKey
+}