Verify locally. Compare the public state and independent replay.
Run the published verifier against the current public state, then compare your result to the independent replay path for the same signed bundle, verdict, and reason path.
Use the signed release for canonical truth. Surface refinements do not replace the receipt. Local verification and independent replay still converge on the same authority path.
Compare local verification to the public state and independent replay.
Local verification and independent replay should converge on the same verdict, digest, and reason path.
Use the compare panel as the authority surface. Current public truth and any independently witnessed HOLD stay separated until external replay is published.
Authority surface for current public truth and any independently witnessed HOLD.
Falsification Receipt is the standards name for the replay object behind local, witnessed, and challenged outcomes. Read replay spec.
Front-door trust asset: independently witnessed HOLD. Public spec text remains subject to revision as witnessed replay matures.
Canonical local verification path.
The same signed production pointer and machine index drive both local verification and any future independent replay.
Single-source reviewer navigation. If any page text conflicts with a signed receipt, treat it as HOLD and follow the receipt.
/.well-known/mvg-prod.json (+ .asc) is the single signed production pointer.
Determine state from signature validity (fail‑closed):
missing ⇒ HOLD; invalid ⇒ FAIL; valid signature ⇒ proceed to verify referenced receipts offline.
site_release_verification_keyring_url = /trust/site-release/latest/pgp.asc
· security_contact_encryption_key_url = /pgp.asc
· security.txt
Run local verification.
Drop a Conformance Pack. All verification runs locally in your browser. Nothing is sent to Meridian Verity Group.
Drop a Conformance Pack.
The first action is obvious. The proof surface stays clean. Advanced audit utilities still exist below the fold.
Drag & drop a .zip here, or choose a file.
Self-test, Auditor Mode, signed report export, org signer, mock server, OpenAPI, curl, spec, CLI, pinned versions, observed reason codes, and the procurement-kit bridge stay on the page.
What is checked
- Pack structure + required files
- SHA-256 digests recomputed in browser
- Registry snapshot pin match + deterministic replay
- DSSE signature verification (Ed25519)
- Optional COSE + JWS payload equivalence
- Optional witness threshold + transparency receipts
What to attach to Jira
- Conformance Pack
.zip - receipts
.jsonl - signing request
.signing_request.json
Advanced auditor options
DSSE, COSE + JWS, witness policy, transparency, signed export, org signer, mock server, OpenAPI, curl, spec, and CLI remain available below the fold.
Advanced auditor optionsPreserved below the fold
Auditor checks (optional)
Stricter checks. Unsupported crypto or codec becomes HOLD (fail closed).
- DSSE (required): verify DSSE envelopes + snapshot_id recomputation.
Non-guarantee / scope
| Scenario | Result | Time |
|---|
Signed export, signing request, anchored sample verification, org signer, mock server, OpenAPI, curl, spec, CLI, and pinned reason-code evidence remain available after verification.
Challenge failure semantics in public.
Use public fixtures to prove that HOLD and FAIL remain visible, replayable, and not hidden behind page copy.
No local verification run yet.
Drop a Conformance Pack to begin local verification.
No verification summary yet.
Run local verify to populate verdict, reason codes, and copy-ready summary.
Pinned versions (replay pins)
Observed reason codes
ta.mvg.verifier.signing.2026-02-09.v24.demo · nvrs:sha256:84532531a4e4952bcb0cce5a989c3805969868470d53cb55b6965b844c3604d1 Key anchors.
Verified locally?
Move from local verification into procurement-ready evidence or NDA-backed licensing diligence. The same public state remains the front door for buyer review, security review, and commercial handoff.