Skip to main content

Verify QRS reproducibility seals offline.

Project description

qrs-replay

Verify QRS reproducibility seals offline.

Install

pip install qrs-replay          # pre-release versions: pip install --pre qrs-replay

Publication to PyPI is a gated release step. If the package is not yet visible on PyPI, install from a source checkout of this package directory instead: pip install -e .

Use

# Crypto-only verification (~milliseconds; no Docker needed):
qrs-replay verify --run-id <ID> --api-token "$QRS_API_TOKEN"

# Verify a pre-downloaded seal OFFLINE (no QRS account, no token):
qrs-replay verify --seal ./seal.json

# Fully AIR-GAPPED (no network at all) — also pass the published public key:
qrs-replay verify --seal ./seal.json --public-key ./qrs-seal-key-v1.pem

# Also re-hash the original input files against the sealed input-lineage
# manifest (a file is matched by its metadata.filename or source_id):
qrs-replay verify --seal ./seal.json --inputs-dir ./inputs/

# Full bit-identical replay (Docker required; ~minutes) — install the
# 'full-replay' extra (pip install "qrs-replay[full-replay]"), then:
qrs-replay verify --run-id <ID> --api-token "$QRS_API_TOKEN" \
    --full-replay --portfolio /path/to/portfolio.json

# Verify a release-bundle meta-seal, fetching its constituent per-run
# seals from the API (needs a token):
qrs-replay verify-meta-seal --meta-seal ./engine-v1.0.0.json \
    --api-token "$QRS_API_TOKEN"

# Verify a meta-seal FULLY AIR-GAPPED — read the constituents from a
# directory of exported per-run seals (one <run_id>.json each) and pass
# the published key, so no network call is made:
qrs-replay verify-meta-seal --meta-seal ./engine-v1.0.0.json \
    --seals-dir ./seals/ --public-key ./qrs-seal-key-v1.pem

# Verify transparency-log proofs OFFLINE — "Certificate Transparency for Risk".
# Inclusion: prove a run's seal digest is committed to the public log
# (save it from GET /trust/log/proof/<run_id>):
qrs-replay logverify --inclusion ./proof.json

# Bind the inclusion proof to a real seal envelope — proves the proof is for
# THAT seal (recomputes the seal's canonical digest, fully offline):
qrs-replay logverify --inclusion ./proof.json --seal ./seal.json

# Consistency: prove the log is append-only between two checkpoints
# (save it from GET /trust/log/consistency?first=M&second=N):
qrs-replay logverify --consistency ./consistency.json

Phase 1 transparency-log checkpoints are UNSIGNED (pre-KMS). logverify succeeds with signed=false: a verified proof shows the log's append-only structure relative to the checkpoint(s) it cites — it does not prove authoritative non-equivocation (the root is QRS-asserted until Phase 2 signs the tree head and Phase 3 anchors it externally) and does not attest any number is accurate.

Constituent-run verification of a meta-seal otherwise requires QRS API access (GET /runs/{id}/seal per certified run). --seals-dir removes that dependency by reading exported per-run seal envelopes from a local directory; add --public-key to also skip the signing-key fetch for a fully offline run.

Save a seal for offline use from the run-detail page or GET /runs/{id}/seal. The published signing key is served at https://api.qrsrisk.com/trust/seal-key/v1.pem (canonical); seal payloads advertise the https://trust.qrsrisk.com/seal-key-v1.pem alias, which serves the same key once the trust host is live.

What this verifies

Normative specification (third-party-implementable): https://github.com/jordanmarkwith/qrs-seal-verification. It is also rendered in the QRS Trust Center, alongside the friendly quickstart: https://app.qrsrisk.com/trust/seal-verification.

Exit codes

Code Meaning
0 OK / SEAL_VERIFIED
10 SEAL_NOT_FOUND
11 INVALID_SIGNATURE
12 LINEAGE_HEAD_MISMATCH
13 WHEEL_LOCK_MISMATCH (full-replay only)
14 PORTFOLIO_HASH_MISMATCH (full-replay only)
15 OUTPUT_HASH_MISMATCH (full-replay only)
16 META_SEAL_ROLLUP_MISMATCH (verify-meta-seal only)
17 INPUT_LINEAGE_MALFORMED
18 INPUT_HASH_MISMATCH (with --inputs-dir)
20 KMS_PUBLIC_KEY_UNREACHABLE
30 DOCKER_PULL_FAILED (full-replay only)
40 LOG_PROOF_MALFORMED (logverify)
41 LOG_INCLUSION_MISMATCH (logverify)
42 LOG_CONSISTENCY_MISMATCH (logverify)
43 LOG_DIGEST_MISMATCH (logverify --seal)

License

MIT.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

qrs_replay-1.0.0rc1.tar.gz (21.7 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

qrs_replay-1.0.0rc1-py3-none-any.whl (23.8 kB view details)

Uploaded Python 3

File details

Details for the file qrs_replay-1.0.0rc1.tar.gz.

File metadata

  • Download URL: qrs_replay-1.0.0rc1.tar.gz
  • Upload date:
  • Size: 21.7 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for qrs_replay-1.0.0rc1.tar.gz
Algorithm Hash digest
SHA256 73b040e5fbec592f7687448db64b587f2a663c7bf5612d8c871afd239e71fe43
MD5 c80d251b9bd97211745ebf209343bfed
BLAKE2b-256 108e0437be6bc45a0718e4f98ffad7b9909f055eb201dd629492b50c7846d489

See more details on using hashes here.

Provenance

The following attestation bundles were made for qrs_replay-1.0.0rc1.tar.gz:

Publisher: build-qrs-replay.yml on jordanmarkwith/qrs-platform

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file qrs_replay-1.0.0rc1-py3-none-any.whl.

File metadata

  • Download URL: qrs_replay-1.0.0rc1-py3-none-any.whl
  • Upload date:
  • Size: 23.8 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for qrs_replay-1.0.0rc1-py3-none-any.whl
Algorithm Hash digest
SHA256 40aa5847b7c04b5720434cc81deac9bd6b5fe0d717b3124e5c53406e90ad0e4d
MD5 1d2230c2092622f7884c5f2498384028
BLAKE2b-256 05db2a87057dc8515295c3f14486595e6ed4e368418ba9ffc69f6d8f346e1d48

See more details on using hashes here.

Provenance

The following attestation bundles were made for qrs_replay-1.0.0rc1-py3-none-any.whl:

Publisher: build-qrs-replay.yml on jordanmarkwith/qrs-platform

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page