Verification
Every kit is independently verifiable — online or offline.
What gets verified
- File integrity: SHA-256 hash of every file in the kit matches the manifest.
- Manifest completeness: Every file in the kit has a corresponding hash in the manifest. No extra files, no missing entries.
- Receipt signature: The
receipt.jsonis signed with Ed25519. The public key is published atregistry.attestlayer.com/v1/jwks/issuer.jwks.json. - Receipt binds to manifest: The receipt references the manifest root hash, ensuring the entire kit is covered by the signature.
Online verification
Open verify.attestlayer.com → Verify by Upload (No server upload) → select your kit.zip. The verifier:
- Extracts the ZIP in-browser (no server upload)
- Recomputes all file hashes
- Compares against manifest
- Fetches the issuer JWKS and verifies the receipt signature
- Displays pass/fail with detailed breakdown
Offline verification
Every kit.zip contains an offline verifier bundle. To verify without internet:
- Extract
kit.zip - Open
verifier/index.htmlin any modern browser - The verifier uses the bundled JWKS snapshot to check signatures
- All computation runs client-side — no network requests
Verification artifacts
| File | Purpose |
|---|---|
manifest.json | SHA-256 hash index of all kit files |
receipt.json | Ed25519-signed receipt binding to manifest root hash |
jwks.json | Issuer public key for offline verification |
verifier/ | Self-contained offline verifier (HTML + JS) |
diff.json | File-level diff vs previous kit (when diff_scope_id is set) |
JWKS endpoint
Public keys for receipt verification are published at:
GET https://registry.attestlayer.com/v1/jwks/issuer.jwks.json
→ { "keys": [ { "kty": "OKP", "crv": "Ed25519", "x": "...", "kid": "..." } ] }