Offline, independent verifier for QCOS quantum evidence reports.
Project description
softquantus-verify
Independently verify QCOS quantum evidence — offline, without trusting SoftQuantus.
Every QCOS Bench report is content-hashed, identity-bound, and signed. This tool recomputes those hashes from the published report and checks the signature, so a regulator, auditor, or hardware vendor can confirm a result is authentic and untampered without contacting SoftQuantus and without the proprietary engine.
That independence is the point: a trust claim you can only check by asking the issuer is not a trust claim. This verifier is open source (MIT); the engine that produces evidence stays proprietary.
Install
pip install softquantus-verify
Only dependency: cryptography.
CLI
# Verify hashes and signature
softquantus-verify report.json --public-key softquantus.pem
# Verify hashes only (no key)
softquantus-verify report.json
# Machine-readable output for CI
softquantus-verify report.json -k softquantus.pem --json
Exit code is 0 when valid, non-zero otherwise — safe to gate a pipeline on.
Library
import json
from softquantus_verify import verify_report
report = json.load(open("report.json"))
result = verify_report(report, public_key=open("softquantus.pem", "rb").read())
print(result.status) # "valid" | "invalid" | "unsigned" | "error"
print(result.content_hash_valid) # recomputed == published
print(result.evidence_hash_valid)
print(result.signature_valid) # True / False / None (no key)
What it checks
content_hash— recomputed from the technical content (results, metrics, versions).evidence_hash— recomputed from the identity-bound content (the value that is signed).- Signature — Ed25519 over the canonical payload
evidence_hash|schema_version|ruleset_family.
The exact rules are documented in ../SPEC.md and are pinned to the
server by fixtures generated from the production code (../fixtures).
License
MIT — see LICENSE.
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file softquantus_verify-0.1.0.tar.gz.
File metadata
- Download URL: softquantus_verify-0.1.0.tar.gz
- Upload date:
- Size: 7.5 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.12.7
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
8de312e4ecfb6bf12ae8c4cbaa0828dac13dc9160ec31a75719f99d3848623f8
|
|
| MD5 |
4e7c99080fa3cf0a4a89c1d32b84336f
|
|
| BLAKE2b-256 |
103b5afdaaebc5b23f2fcdcfba29dbdec832ab608fd128c09d5d358eb3e2446d
|
File details
Details for the file softquantus_verify-0.1.0-py3-none-any.whl.
File metadata
- Download URL: softquantus_verify-0.1.0-py3-none-any.whl
- Upload date:
- Size: 9.1 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.12.7
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
39590ca1b404f5ca03fa5c1638060605d69f42d6b7ee308b6cd8b14a031d5f07
|
|
| MD5 |
3de28a6401660ed8eadc231d9e99b2fd
|
|
| BLAKE2b-256 |
6d2affbeb3b02bd0607801e443501d57ff1c971c773e65b7a5991fc7360bc938
|