Verifier for the Provetrail standard (verifiable execution provenance): checks a sealed run record's signature and Merkle integrity.
Project description
provetrail
A verifier for Provetrail, an open standard for verifiable execution provenance.
Status: draft (
0.1.x). This package verifies the integrity tier of a sealed run record: the COSE_Sign1 checkpoint signature and the RFC 9162 Merkle root over the carried events. The on-the-wire format is not frozen until v0.1.0, so do not yet rely on it as a production security control.
What Provetrail is
A portable, third-party-verifiable record of what an agent did, in what order, and under what governance, anchored to an append-only, tamper-evident event log.
- Specification and conformance suite: https://github.com/ionalpha/provetrail
- Project home: https://provetrail.org
Install
pip install provetrail
Use
from provetrail import verify_run, VerifyError
record = open("run.cbor", "rb").read()
public_key = bytes.fromhex("...") # 32-byte Ed25519 public key
try:
result = verify_run(record, public_key)
print(f"verified, {len(result.events)} events")
except VerifyError as e:
print(f"not verified: {e}")
Or from the command line:
python -m provetrail run.cbor <hex-public-key>
# or, once installed:
provetrail run.cbor <hex-public-key>
verify_run follows the carry-the-bytes rule: it rehashes the exact bytes the record carries and never re-serializes, so it agrees with any other conformant verifier (the Go reference verifier and the Rust crate) on the same record. It fails closed on a bad signature, a size mismatch, or events that do not rebuild the signed root.
Conformance
The verifier is checked against the published conformance vectors:
pip install provetrail[test]
pytest
The cryptographic vectors live in vectors/crypto. The reference verifier covering every tier (integrity, governance, ground truth) ships in the Go runtime at ionalpha/flynn.
License
Apache-2.0. The specification prose is CC-BY-4.0. Provetrail is a trademark of Ion Alpha.
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file provetrail-0.1.0.tar.gz.
File metadata
- Download URL: provetrail-0.1.0.tar.gz
- Upload date:
- Size: 4.7 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.10.11
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
0d0b886533883c6ca758da6d517c13c4d94ea4d57409871006156bdf1bc8f390
|
|
| MD5 |
20aebd1cf3b5ddbd9762b216a575d0ed
|
|
| BLAKE2b-256 |
470506536fc761fafdb3029a0120a98089b8c06ac9d812570baaa43e8ee5a57c
|
File details
Details for the file provetrail-0.1.0-py3-none-any.whl.
File metadata
- Download URL: provetrail-0.1.0-py3-none-any.whl
- Upload date:
- Size: 5.5 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.10.11
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
4edc2f06f436e8ef7da56b50cc164c239d98f4bd63e5ccbe204cec68dfa117f9
|
|
| MD5 |
5a83334276daeae94bf0363d82d37346
|
|
| BLAKE2b-256 |
22eac7d0321fe0bc43048790200dd2ec26d101a23a8cfc5529993dde87b06e17
|