Independent, zero-dependency verifier for Holistic Quality / NOMOS signed manifests.
Project description
holisticquality-verify-manifest
Independent, zero-dependency verifier for Holistic Quality / NOMOS signed manifests — corpus manifests and published research artifacts (e.g. the PM & Alzheimer's evidence synthesis).
It lets anyone confirm, on their own machine and without trusting Holistic Quality's infrastructure, that a published artifact is exactly what was signed, by the named parties, unmodified. This operationalizes Regulator Bill of Rights, Article IX (Falsifiability).
Install
pip install holisticquality-verify-manifest
Requires Python ≥ 3.9 and the system gpg binary (GnuPG). No Python
dependencies; no network access.
Use
verify-manifest \
--manifest path/to/manifest.json \
--bundle path/to/signatures/v0.sig.json
First import the signers' public keys into your GPG keyring (the manifest publisher provides them), then run the command above.
Exit codes
| Code | Meaning |
|---|---|
0 |
PASS — canonical hash matches, every signature verified, two-person rule satisfied |
1 |
FAIL — general (hash mismatch, multiple causes, or two-person rule violation) |
2 |
FAIL — manifest or signature-bundle file not found |
3 |
FAIL — signature verification failed and was the sole cause |
Useful flags: --verbose (per-signature detail), --json (machine-readable
result), --gpg-homedir (use an isolated keyring).
What it checks
- Canonical-hash recompute — re-derives the SHA-256 of the manifest's canonical-JSON form (signatures excluded) and compares it to the hash inside the signature bundle. Detects any post-signing tampering.
- GPG signature verification — each detached, ASCII-armored signature in the bundle is verified against the canonical-hash bytes.
- Two-person rule — at least two distinct verified GPG fingerprints
(disable with
--no-two-personfor diagnostics only).
Trust & provenance
This package is vendor-minimal: it contains only the verification path, so
the whole thing is auditable in minutes. Its modules are faithful, behavior-
preserving copies of the in-repository verifier; a golden-fixture test
(tests/test_golden.py) enforces that a manifest signed by the canonical NOMOS
signer verifies here — behavioral identity, checked, not asserted.
How-to with a worked example: https://holisticquality.io/regulator-verify-manifest
License
Apache-2.0 © Holistic Quality LLC
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file holisticquality_verify_manifest-0.1.0.tar.gz.
File metadata
- Download URL: holisticquality_verify_manifest-0.1.0.tar.gz
- Upload date:
- Size: 16.9 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.9.6
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
ebbaf75d01d4096423c502c5b4c60627a2755527be145ed3937879f21dcd7fa9
|
|
| MD5 |
9e1c6b18b46f5e7d4280bb09c6f7c39e
|
|
| BLAKE2b-256 |
813874922534237cd31557160f02433645d47c94af92af7ec070320fda76ebd8
|
File details
Details for the file holisticquality_verify_manifest-0.1.0-py3-none-any.whl.
File metadata
- Download URL: holisticquality_verify_manifest-0.1.0-py3-none-any.whl
- Upload date:
- Size: 17.9 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.9.6
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
8ac333a909aa2c765ef548521fa6e2cc812e29ac457cca0593e4d4412ed415f1
|
|
| MD5 |
8dd9283bdc7d25ca704f526521c4afb1
|
|
| BLAKE2b-256 |
ee7b95fd49ec5895f27a5bd882e70e74309ba3052e863cc5b8104b56a5ba2dc0
|
