Skip to main content

Verifier for the Provetrail standard (verifiable execution provenance): checks a sealed run record's signature and Merkle integrity.

Project description

provetrail

A verifier for Provetrail, an open standard for verifiable execution provenance.

Status: draft (0.1.x). This package verifies the integrity tier of a sealed run record: the COSE_Sign1 checkpoint signature and the RFC 9162 Merkle root over the carried events. The on-the-wire format is not frozen until v0.1.0, so do not yet rely on it as a production security control.

What Provetrail is

A portable, third-party-verifiable record of what an agent did, in what order, and under what governance, anchored to an append-only, tamper-evident event log.

Install

pip install provetrail

Use

from provetrail import verify_run, VerifyError

record = open("run.cbor", "rb").read()
public_key = bytes.fromhex("...")  # 32-byte Ed25519 public key

try:
    result = verify_run(record, public_key)
    print(f"verified, {len(result.events)} events")
except VerifyError as e:
    print(f"not verified: {e}")

Or from the command line:

python -m provetrail run.cbor <hex-public-key>
# or, once installed:
provetrail run.cbor <hex-public-key>

verify_run follows the carry-the-bytes rule: it rehashes the exact bytes the record carries and never re-serializes, so it agrees with any other conformant verifier (the Go reference verifier and the Rust crate) on the same record. It fails closed on a bad signature, a size mismatch, or events that do not rebuild the signed root.

Conformance

The verifier is checked against the published conformance vectors:

pip install provetrail[test]
pytest

The cryptographic vectors live in vectors/crypto. The reference verifier covering every tier (integrity, governance, ground truth) ships in the Go runtime at ionalpha/flynn.

License

Apache-2.0. The specification prose is CC-BY-4.0. Provetrail is a trademark of Ion Alpha.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

provetrail-0.1.0.tar.gz (4.7 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

provetrail-0.1.0-py3-none-any.whl (5.5 kB view details)

Uploaded Python 3

File details

Details for the file provetrail-0.1.0.tar.gz.

File metadata

  • Download URL: provetrail-0.1.0.tar.gz
  • Upload date:
  • Size: 4.7 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.10.11

File hashes

Hashes for provetrail-0.1.0.tar.gz
Algorithm Hash digest
SHA256 0d0b886533883c6ca758da6d517c13c4d94ea4d57409871006156bdf1bc8f390
MD5 20aebd1cf3b5ddbd9762b216a575d0ed
BLAKE2b-256 470506536fc761fafdb3029a0120a98089b8c06ac9d812570baaa43e8ee5a57c

See more details on using hashes here.

File details

Details for the file provetrail-0.1.0-py3-none-any.whl.

File metadata

  • Download URL: provetrail-0.1.0-py3-none-any.whl
  • Upload date:
  • Size: 5.5 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.10.11

File hashes

Hashes for provetrail-0.1.0-py3-none-any.whl
Algorithm Hash digest
SHA256 4edc2f06f436e8ef7da56b50cc164c239d98f4bd63e5ccbe204cec68dfa117f9
MD5 5a83334276daeae94bf0363d82d37346
BLAKE2b-256 22eac7d0321fe0bc43048790200dd2ec26d101a23a8cfc5529993dde87b06e17

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page