Skip to main content

Aevum — standalone sigchain verifier.

Project description

aevum-verify

Standalone sigchain verifier for Aevum. aevum-verify shares no code with aevum-core — every cryptographic primitive (the signing-digest construction, payload hashing, chain hashing, RFC 6962 Merkle inclusion and consistency proofs, tree-head signatures, and TSA certificate-chain validation) is reimplemented directly from the public spec, docs/spec/aevum-signing-v1.md, not derived from or imported from the chain producer's runtime.

This means signature verification no longer trusts the operator's runtime: any third party — an auditor, a regulator, opposing counsel — can confirm that an exported chain is internally consistent and matches its claimed signatures using an implementation that imports nothing from the system that produced the chain. aevum-verify is tamper-evident, not tamper-proof — it detects whether an exported chain has been altered after the fact; it makes no claim about events that were never recorded or about the integrity of the system that generated the chain in the first place.

Independence

  • Zero runtime dependency on aevum-coreaevum-verify's own package metadata does not declare it, and aevum-verify's wheel does not pull it in.
  • Zero imports of any aevum.core.* module from _core.py or _format.py, enforced by an AST-level test (test_merkle_sth.py::TestMerkleIndependence) that fails the build if either file ever imports from the producer again.
  • The only inputs trusted are the pinned public key bytes the caller supplies out-of-band, and the chain file itself.

Tests are the one place this package still touches aevum-core: fixtures use the real Sigchain/DualSigner to produce genuinely signed chains so the independent reimplementation can be checked against real signatures, not just its own assumptions. None of that is reachable from aevum-verify's verification logic or its packaged dependencies.

Install

pip install aevum-verify
# With post-quantum (ML-DSA-65) support:
pip install "aevum-verify[pqc]"

CLI usage

aevum-verify CHAIN_FILE --ed25519-pub HEX [--mldsa65-pub HEX]
  • CHAIN_FILE — path to a JSON file containing a list of serialised chain entries.
  • --ed25519-pub — pinned Ed25519 public key as 64-char hex, or @/path/to/file for a raw 32-byte binary key.
  • --mldsa65-pub — pinned ML-DSA-65 public key as hex or @filepath; required for hybrid (ed25519+ml-dsa-65) chains.

Exit codes

Code Meaning
0 VERIFIED — all entries intact
1 FAILED — chain tampered, signature invalid, or trust-anchor mismatch
2 Usage error (bad arguments or unreadable file)

Example

aevum-verify chain.json --ed25519-pub "$(cat pubkey.hex)"

Key file format matters. If your public key is stored as a .hex file (ASCII hex text, e.g. 1cb499...), pass it with --ed25519-pub "$(cat file.hex)". The @/path/to/file form reads the file as raw 32-byte binary, not hex text — using @ against a .hex text file will not parse as a valid Ed25519 key.

Python API

from aevum.verify import load_chain, verify_chain

entries = load_chain("chain.json")
result = verify_chain(entries, ed25519_pub=bytes.fromhex(pubkey_hex))
assert result.ok, result.reason

Trust model

The verifier trusts only the public key bytes supplied out-of-band by the caller — never anything embedded in the chain file itself. For hybrid entries, both the pinned Ed25519 key and the pinned ML-DSA-65 key must be supplied; absence of either signature or key for a hybrid entry fails closed. A chain mixing key schemes (e.g. some entries classical, some hybrid) is rejected outright as a downgrade/splice fingerprint.

Malformed or hostile input — corrupt JSON, truncated files, missing fields, wrong-length keys, garbage-hex embedded fields, oversized hex values or entry counts — fails closed (a reported FAILED result, a non-zero exit code, or a usage error) rather than raising an unhandled exception or silently accepting bad data.

License

Apache-2.0

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

aevum_verify-0.9.0.tar.gz (24.6 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

aevum_verify-0.9.0-py3-none-any.whl (15.6 kB view details)

Uploaded Python 3

File details

Details for the file aevum_verify-0.9.0.tar.gz.

File metadata

  • Download URL: aevum_verify-0.9.0.tar.gz
  • Upload date:
  • Size: 24.6 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.13

File hashes

Hashes for aevum_verify-0.9.0.tar.gz
Algorithm Hash digest
SHA256 5a1a4e268793d779f750335c9c35f600fedf002e6a1c2ee05ad3f2fbed53ef5a
MD5 2504faac5acc8aaa249e969df1c04b58
BLAKE2b-256 75c25107f855085f470740e176cb82a78d8f94f559b446a187a4aea1cbf02005

See more details on using hashes here.

Provenance

The following attestation bundles were made for aevum_verify-0.9.0.tar.gz:

Publisher: release.yml on aevum-labs/aevum

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file aevum_verify-0.9.0-py3-none-any.whl.

File metadata

  • Download URL: aevum_verify-0.9.0-py3-none-any.whl
  • Upload date:
  • Size: 15.6 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.13

File hashes

Hashes for aevum_verify-0.9.0-py3-none-any.whl
Algorithm Hash digest
SHA256 2b5a4644c635abca3d1b7d18343f7431171e63ca3ba1414d79d09dec8c59a8e2
MD5 8fb7e13fe33bbf88686ae461742e7b6b
BLAKE2b-256 9c3a784da1d4acc81c448ecd95d436f0d2706a86d8381cfb261dd581c6732d3c

See more details on using hashes here.

Provenance

The following attestation bundles were made for aevum_verify-0.9.0-py3-none-any.whl:

Publisher: release.yml on aevum-labs/aevum

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page