Verify Diligence Pack (offline)

No uploads • No network calls • Deterministic PASS / FAIL / HOLD • Requires secure context (https:// or localhost)

Download teaser pack (ZIP) Download sample private receipt (DSSE) Download commitment log (JSON) Download signed head (DSSE) Download trust anchors

Tip: open once → airplane mode → verify. Diligence commitments overview • Org approval policy spec • Ticket binding spec

Verify your files

Diligence Pack ZIP

Private receipt DSSE (JSON)

Commitment log head DSSE (optional)

Commitment log JSON (optional)

Default: pinned trust anchors v1.0.0 (public‑safe demo). We do not fetch anything.

Enforce public commitment log verification (recommended) If enabled, provide both the commitment log JSON + signed head DSSE for non‑demo packs. We do not fetch anything.

—

Computed	Value
ZIP sha256	—
ZIP bytes	—
Computed commitment	—
Air‑gap guard	—
Commitment log	—
Log head	—
Commitment ↔ log	—
Log head DSSE	—
Receipt pack_version	—
DSSE	—

Export verification receipt (for procurement / legal)

Generates a deterministic JSON receipt (hashes + verdicts + policy) that you can attach to internal review. Reviewer‑generated; you may optionally countersign locally below to produce a signed internal approval record.

Receipt field	Value
Artifact fingerprint	—
Verification run id	—

Countersign receipt (internal approval certificate)

Optionally countersign the latest verification receipt using your org/reviewer key locally. This produces a signed approval record you can attach to procurement/legal tickets. No key material is uploaded and the verifier makes no network calls.

Private key (JWK JSON) — local only

Recommended: use your org-managed signing key. Demo keys are for testing only.

Signer metadata (optional)

Key actions (JWK)

—

Key fingerprint: —

Hardware‑backed countersign (WebAuthn / Passkey)

Optional: countersign the receipt using a hardware‑backed key via WebAuthn (platform TPM/Secure Enclave or security key). The verifier remains fully offline (no uploads, no network calls). If your environment supports it, you can include attestation evidence (public‑safe; trust evaluation is your org’s responsibility). See hardware attestation spec.

WebAuthn options Embed attestation evidence in countersigned receipt (recommended)

Note: some browsers/authenticators will return no attestation even when requested.

Credential (local)

Hardware key status

—

Field	Value
Public key fingerprint	—
Authenticator attachment	—
Attestation fmt	—
AAGUID	—
Evidence sha256	—
Evidence checks	—

WebAuthn requires a secure context (HTTPS). This feature does not “prove identity” by itself; it produces cryptographic evidence that an authenticator signed the receipt payload digest.

Embed public key in countersignature (recommended) Enables offline verification without separate key files.

Ticket binding (optional, recommended) Bind countersignature to an internal ticket

Ticket fields are included inside the signed payload. The verifier remains fully offline.

Org approval keyring (optional)

Used for local threshold policy evaluation (e.g., 2-of-3). Sample • Spec

Enforce org approval policy (fail‑closed)

Org approval policy verdict

—

Policy: —
Matched: —
Ticket: —
Approval id: —
Bundle manifest hash: —

Approval statement (optional)

Countersigned receipt (optional, for verification)

Export attachment bundle Download air‑gapped kit —

Include ticket binding in QR payload (recommended) Speeds matching the attachment to JIRA/ServiceNow.

Field	Value
Base receipt sha256	—
Countersigned receipt id	—
Countersignatures	—

Countersignatures are reviewer-generated. Establishing signer identity is your org’s responsibility (e.g., device-provisioned keys / internal PKI).

Contents —

File	Expected	Computed	Status

Non‑guarantee: verifies integrity + signatures. Does not certify semantic correctness or universal safety.