Independent verifier for Keel governance evidence
Project description
keel-verifier
Independent verifier for Keel governance evidence.
It runs locally, requires no access to Keel's internal systems, and makes no outbound network calls unless you explicitly ask it to fetch a public key or key manifest URL.
What this verifier proves — and the boundary
The verifier proves exported evidence has not been altered after signing. Like any signing system, the trust boundary includes the signer at signing-time. Hardware-backed attestation tiers are on the roadmap for customers requiring insider-threat-resistant evidence generation.
In practical terms:
- Post-signing tampering of any element in the permit lifecycle (input, dispatch, provider response, client response, closure record) is detected — see the Tampering Detection Matrix in the online documentation.
- Pre-signing manipulation by a privileged Keel operator at the moment evidence is created is NOT detected by this verifier. Defending against that threat model requires hardware-backed signing (TEE/HSM), a separate capability tier above what this verifier covers.
Quick Start
python -m pip install keel-verifier
keel-verify export --help
From a checkout:
python -m pip install -e .
python -m keel_verifier --help
The v0.2.0 invocation pattern still works:
python -m keel_verifier sample/export.json --self-attested
What It Verifies
keel-verify export verifies a signed compliance export in three layers:
- The export bytes match the signed manifest
content_hash. - The manifest Ed25519 signature verifies against a trusted key.
- Optional Phase C/D checks walk bundled chain entries and verify closure records.
keel-verify checkpoint verifies integrity checkpoint JSON artifacts: the chain_heads composite hash, the Ed25519 checkpoint signature, and an embedded RFC 3161 timestamp MessageImprint when present.
Obtaining a Signed Export
Request an audit export from Keel's compliance export API and include chain entries when you want full lifecycle walking:
curl -sS -X POST "https://api.keelapi.com/v1/compliance/exports?include_chain_entries=true" -H "Authorization: Bearer $KEEL_API_KEY" -H "Content-Type: application/json" -d '{"project_id":"<project_uuid>","format":"json"}'
Download both artifacts returned by the export workflow:
- the export payload, for example
export.json - the signed manifest, for example
manifest.json
Then run:
keel-verify export export.json manifest.json --walk-events --verify-closure
The flag form used by the internal verifier is also supported:
keel-verify export --export-file export.json --manifest manifest.json --walk-events --verify-closure
Chain Walking
--walk-events parses audit_export_bundle files with schema_version=2 and include_chain_entries=true.
It groups entries by chain_scope, sorts by sequence_number, recomputes every record_hash, verifies prev_hash continuity inside the export window, and fails closed on unknown chain_format_version values.
Schema version 1 exports remain backward compatible. They can still be verified at the export-signature layer, but they do not contain chain entries to walk.
Closure Verification
--verify-closure verifies permit.closed entries.
For closure_v1, it verifies the closure Ed25519 signature and cross-references provider/client response digests against the bundled lifecycle events.
For closure_v2, it also verifies dispatch_request_digest_v1 against the permit's binding_request_hash, proving that the dispatch-time request body is the one covered by the closure record.
Closure verification uses public keys with purpose permit_binding_signing. Pass a manifest explicitly when needed:
keel-verify export export.json manifest.json --key-manifest permit-binding-keys.json --walk-events --verify-closure
The bundled trust root lives at keel_verifier/data/trust_root.json. It includes the production export and checkpoint signing keys currently served by https://api.keelapi.com/v1/compliance/keys, plus the production permit-binding key served by https://api.keelapi.com/v1/integrity/permit-binding-public-keys.
Tampering Matrix
The verifier emits stable WALK_* failure codes, including:
WALK_RECORD_HASH_MISMATCHWALK_PREV_HASH_DISCONTINUITYWALK_SEQUENCE_INVERSIONWALK_UNKNOWN_CHAIN_FORMATWALK_CLOSURE_SIGNATURE_INVALIDWALK_CLOSURE_DIGEST_MISMATCHWALK_CLOSURE_DIGEST_MISSINGWALK_CLOSURE_DISPATCH_DIGEST_MISMATCHWALK_UNKNOWN_CLOSURE_FORMAT
The authoritative matrix is maintained in the Keel docs: https://docs.keelapi.com/12-tampering-detection-matrix
Trust Model
There are two useful kinds of verification:
- Self-attested: the file agrees with itself. This proves internal consistency only.
- Trust-root verified: the artifact verifies against a key you trust, such as the bundled production trust root, a pinned public key, or a manifest fetched and saved out-of-band.
Trust sources, strongest first:
| Mode | Flags | Notes |
|---|---|---|
| Pinned key | --expected-public-key ed25519:... or --public-key ed25519:... |
Strongest when obtained out-of-band. |
| Key manifest | --key-manifest keys.json |
Supports key rotation and active windows. |
| Key manifest URL | --key-manifest-url URL |
Explicit network fetch. |
| Bundled trust root | none | Default. No phone-home. |
| Self-attested | --self-attested |
Development/sample mode only. |
--public-key-url is also supported for checkpoint verification against the single live checkpoint public-key endpoint.
CLI Examples
keel-verify export export.json manifest.json
keel-verify export export.json manifest.json --walk-events
keel-verify export export.json manifest.json --walk-events --verify-closure
keel-verify checkpoint checkpoint.json
python -m keel_verifier sample/export.json --self-attested
python -m keel_verifier sample/export.json --json --self-attested
Exit code 0 means verified. Exit code 1 means verification failed. Exit code 2 means bad usage.
Network Behavior
The verifier does not phone home. It reaches the network only when you pass --public-key-url or --key-manifest-url.
There is no telemetry.
Library Use
from keel_verifier import verify, verify_export_walk_events, verify_closure_record
result = verify("sample/export.json", self_attested=True)
if not result.ok:
raise SystemExit(result.error)
Versioning
v1.0.0 syncs the public verifier with the Phase A/B/C/D internal verifier. v0.2.0 users can keep using python -m keel_verifier <artifact>.
License
MIT. See LICENSE.
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file keel_verifier-1.0.2.tar.gz.
File metadata
- Download URL: keel_verifier-1.0.2.tar.gz
- Upload date:
- Size: 29.4 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
19a256c80af9631f392b803437f987eb1fd782da8eba0138a7cf31a8c6b14cbf
|
|
| MD5 |
ceab4c09e2fff04182bac6a4622ded08
|
|
| BLAKE2b-256 |
02d4a040543ec3dd4185e11058a01f29261d465a491bdc052cbb7a3858d223f8
|
File details
Details for the file keel_verifier-1.0.2-py3-none-any.whl.
File metadata
- Download URL: keel_verifier-1.0.2-py3-none-any.whl
- Upload date:
- Size: 25.8 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
4a1bf62b7522aac85bb0b7a3fdaca384629962c43a565f0a76fae4a5bcf4398a
|
|
| MD5 |
adfa953cbb9f0ba208d67fe69508c24c
|
|
| BLAKE2b-256 |
8e2736e945c3f6dc343fb8a4d593b1ab49bba8f7a6223904b4b54e14cd4487d6
|
