Verify QRS reproducibility seals offline.
Project description
qrs-replay
Verify QRS reproducibility seals offline.
Install
pip install qrs-replay # pre-release versions: pip install --pre qrs-replay
Publication to PyPI is a gated release step. If the package is not yet visible on PyPI, install from a source checkout of this package directory instead:
pip install -e .
Use
# Crypto-only verification (~milliseconds; no Docker needed):
qrs-replay verify --run-id <ID> --api-token "$QRS_API_TOKEN"
# Verify a pre-downloaded seal OFFLINE (no QRS account, no token):
qrs-replay verify --seal ./seal.json
# Fully AIR-GAPPED (no network at all) — also pass the published public key:
qrs-replay verify --seal ./seal.json --public-key ./qrs-seal-key-v1.pem
# Also re-hash the original input files against the sealed input-lineage
# manifest (a file is matched by its metadata.filename or source_id):
qrs-replay verify --seal ./seal.json --inputs-dir ./inputs/
# Full bit-identical replay (Docker required; ~minutes) — install the
# 'full-replay' extra (pip install "qrs-replay[full-replay]"), then:
qrs-replay verify --run-id <ID> --api-token "$QRS_API_TOKEN" \
--full-replay --portfolio /path/to/portfolio.json
# Verify a release-bundle meta-seal, fetching its constituent per-run
# seals from the API (needs a token):
qrs-replay verify-meta-seal --meta-seal ./engine-v1.0.0.json \
--api-token "$QRS_API_TOKEN"
# Verify a meta-seal FULLY AIR-GAPPED — read the constituents from a
# directory of exported per-run seals (one <run_id>.json each) and pass
# the published key, so no network call is made:
qrs-replay verify-meta-seal --meta-seal ./engine-v1.0.0.json \
--seals-dir ./seals/ --public-key ./qrs-seal-key-v1.pem
# Verify transparency-log proofs OFFLINE — "Certificate Transparency for Risk".
# Inclusion: prove a run's seal digest is committed to the public log
# (save it from GET /trust/log/proof/<run_id>):
qrs-replay logverify --inclusion ./proof.json
# Bind the inclusion proof to a real seal envelope — proves the proof is for
# THAT seal (recomputes the seal's canonical digest, fully offline):
qrs-replay logverify --inclusion ./proof.json --seal ./seal.json
# Consistency: prove the log is append-only between two checkpoints
# (save it from GET /trust/log/consistency?first=M&second=N):
qrs-replay logverify --consistency ./consistency.json
Phase 1 transparency-log checkpoints are UNSIGNED (pre-KMS).
logverifysucceeds withsigned=false: a verified proof shows the log's append-only structure relative to the checkpoint(s) it cites — it does not prove authoritative non-equivocation (the root is QRS-asserted until Phase 2 signs the tree head and Phase 3 anchors it externally) and does not attest any number is accurate.
Constituent-run verification of a meta-seal otherwise requires QRS API access (
GET /runs/{id}/sealper certified run).--seals-dirremoves that dependency by reading exported per-run seal envelopes from a local directory; add--public-keyto also skip the signing-key fetch for a fully offline run.
Save a seal for offline use from the run-detail page or GET /runs/{id}/seal.
The published signing key is served at
https://api.qrsrisk.com/trust/seal-key/v1.pem (canonical); seal payloads
advertise the https://trust.qrsrisk.com/seal-key-v1.pem alias, which serves
the same key once the trust host is live.
What this verifies
Normative specification (third-party-implementable): https://github.com/jordanmarkwith/qrs-seal-verification. It is also rendered in the QRS Trust Center, alongside the friendly quickstart: https://app.qrsrisk.com/trust/seal-verification.
Exit codes
| Code | Meaning |
|---|---|
| 0 | OK / SEAL_VERIFIED |
| 10 | SEAL_NOT_FOUND |
| 11 | INVALID_SIGNATURE |
| 12 | LINEAGE_HEAD_MISMATCH |
| 13 | WHEEL_LOCK_MISMATCH (full-replay only) |
| 14 | PORTFOLIO_HASH_MISMATCH (full-replay only) |
| 15 | OUTPUT_HASH_MISMATCH (full-replay only) |
| 16 | META_SEAL_ROLLUP_MISMATCH (verify-meta-seal only) |
| 17 | INPUT_LINEAGE_MALFORMED |
| 18 | INPUT_HASH_MISMATCH (with --inputs-dir) |
| 20 | KMS_PUBLIC_KEY_UNREACHABLE |
| 30 | DOCKER_PULL_FAILED (full-replay only) |
| 40 | LOG_PROOF_MALFORMED (logverify) |
| 41 | LOG_INCLUSION_MISMATCH (logverify) |
| 42 | LOG_CONSISTENCY_MISMATCH (logverify) |
| 43 | LOG_DIGEST_MISMATCH (logverify --seal) |
License
MIT.
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file qrs_replay-1.0.0rc1.tar.gz.
File metadata
- Download URL: qrs_replay-1.0.0rc1.tar.gz
- Upload date:
- Size: 21.7 kB
- Tags: Source
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
73b040e5fbec592f7687448db64b587f2a663c7bf5612d8c871afd239e71fe43
|
|
| MD5 |
c80d251b9bd97211745ebf209343bfed
|
|
| BLAKE2b-256 |
108e0437be6bc45a0718e4f98ffad7b9909f055eb201dd629492b50c7846d489
|
Provenance
The following attestation bundles were made for qrs_replay-1.0.0rc1.tar.gz:
Publisher:
build-qrs-replay.yml on jordanmarkwith/qrs-platform
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
qrs_replay-1.0.0rc1.tar.gz -
Subject digest:
73b040e5fbec592f7687448db64b587f2a663c7bf5612d8c871afd239e71fe43 - Sigstore transparency entry: 2063072199
- Sigstore integration time:
-
Permalink:
jordanmarkwith/qrs-platform@6827b658617da6294410fc4914c822b3f49e0362 -
Branch / Tag:
refs/heads/main - Owner: https://github.com/jordanmarkwith
-
Access:
private
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
build-qrs-replay.yml@6827b658617da6294410fc4914c822b3f49e0362 -
Trigger Event:
workflow_dispatch
-
Statement type:
File details
Details for the file qrs_replay-1.0.0rc1-py3-none-any.whl.
File metadata
- Download URL: qrs_replay-1.0.0rc1-py3-none-any.whl
- Upload date:
- Size: 23.8 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
40aa5847b7c04b5720434cc81deac9bd6b5fe0d717b3124e5c53406e90ad0e4d
|
|
| MD5 |
1d2230c2092622f7884c5f2498384028
|
|
| BLAKE2b-256 |
05db2a87057dc8515295c3f14486595e6ed4e368418ba9ffc69f6d8f346e1d48
|
Provenance
The following attestation bundles were made for qrs_replay-1.0.0rc1-py3-none-any.whl:
Publisher:
build-qrs-replay.yml on jordanmarkwith/qrs-platform
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
qrs_replay-1.0.0rc1-py3-none-any.whl -
Subject digest:
40aa5847b7c04b5720434cc81deac9bd6b5fe0d717b3124e5c53406e90ad0e4d - Sigstore transparency entry: 2063072244
- Sigstore integration time:
-
Permalink:
jordanmarkwith/qrs-platform@6827b658617da6294410fc4914c822b3f49e0362 -
Branch / Tag:
refs/heads/main - Owner: https://github.com/jordanmarkwith
-
Access:
private
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
build-qrs-replay.yml@6827b658617da6294410fc4914c822b3f49e0362 -
Trigger Event:
workflow_dispatch
-
Statement type: