I have a few git repositories of content that will be updated constantly over the next decade. At some point down the road I anticipate being asked to prove that the content was actually in the state I claim it was based on the commit history. In particular I would like to to tag specific commits (checkpoints) in such a way that someone down the road could verify what date that content first existed on.
All the commits are GPG signed which is a reasonable proof (for my use case) of who the author was, but the timestamps on git commits are arbitrary values that (conceivably) I could forge later with a rebase, sign the commits and pretend the content is older than it actually is.
Is there a cryptographically secure way to validate that content existed at a specific time? Basically I need to show that a SHA checksum was, in fact, generated at a certain time. Can this be done without a third party escrow (e-signature) service? So far the only thing that came to mind is putting the checksum in a transaction on the bitcoin blockchain. Is there some protocol for this sort of thing I don't know about?