Verify Assurance Pack (offline)

No uploads • No network calls • Deterministic PASS / FAIL / HOLD • Requires secure context (https:// or localhost)

Download Assurance Pack Download DSSE Download keyring (DSSE) Download keyring trust anchors Download key transparency log

Tip: open once → airplane mode → verify. Assurance Pack overview • Org approval policy spec • Ticket binding spec

Verify your files

Assurance Pack ZIP

Assurance Pack DSSE (JSON)

Keyring snapshot DSSE (optional)

Key transparency log DSSE (optional)

Default: pinned keyring snapshot v1.0.0 (public‑safe demo). For rotated keys, select a newer keyring DSSE file.

Enforce key transparency log verification (recommended) If enabled, provide the log DSSE for non‑demo packs. We do not fetch anything.

—

Computed	Value
ZIP sha256	—
ZIP bytes	—
Air‑gap guard	—
Transparency log	—
Log head	—
Keyring ↔ log	—
Keyring DSSE	—
Keyring version	—
DSSE	—

Export verification receipt (for procurement / legal)

Generates a deterministic JSON receipt (hashes + verdicts + policy) that you can attach to internal review. Reviewer‑generated; you may optionally countersign locally below to produce a signed internal approval record.

Receipt field	Value
Artifact fingerprint	—
Verification run id	—

Countersign receipt (internal approval certificate)

Optionally countersign the latest verification receipt using your org/reviewer key locally. This produces a signed approval record you can attach to procurement/legal tickets. No key material is uploaded and the verifier makes no network calls.

Private key (JWK JSON) — local only

Recommended: use your org-managed signing key. Demo keys are for testing only.

Signer metadata (optional)

Key actions (JWK)

—

Key fingerprint: —

Hardware‑backed countersign (WebAuthn / Passkey)

Optional: countersign the receipt using a hardware‑backed key via WebAuthn (platform TPM/Secure Enclave or security key). The verifier remains fully offline (no uploads, no network calls). If your environment supports it, you can include attestation evidence (public‑safe; trust evaluation is your org’s responsibility). See hardware attestation spec.

WebAuthn options Embed attestation evidence in countersigned receipt (recommended)

Note: some browsers/authenticators will return no attestation even when requested.

Credential (local)

Hardware key status

—

Field	Value
Public key fingerprint	—
Authenticator attachment	—
Attestation fmt	—
AAGUID	—
Evidence sha256	—
Evidence checks	—

WebAuthn requires a secure context (HTTPS). This feature does not “prove identity” by itself; it produces cryptographic evidence that an authenticator signed the receipt payload digest.

Embed public key in countersignature (recommended) Enables offline verification without separate key files.

Ticket binding (optional, recommended) Bind countersignature to an internal ticket

Ticket fields are included inside the signed payload. The verifier remains fully offline.

Org approval keyring (optional)

Used for local threshold policy evaluation (e.g., 2-of-3). Sample • Spec

Enforce org approval policy (fail‑closed)

Org approval policy verdict

—

Policy: —
Matched: —
Ticket: —
Approval id: —
Bundle manifest hash: —

Approval statement (optional)

Countersigned receipt (optional, for verification)

Export attachment bundle Download air‑gapped kit —

Include ticket binding in QR payload (recommended) Speeds matching the attachment to JIRA/ServiceNow.

Field	Value
Base receipt sha256	—
Countersigned receipt id	—
Countersignatures	—

Countersignatures are reviewer-generated. Establishing signer identity is your org’s responsibility (e.g., device-provisioned keys / internal PKI).

Contents —

File	Expected	Computed	Status

Non‑guarantee: verifies integrity + signatures. Does not certify semantic correctness or universal safety.