Skip to main content

Offline, independent verifier for QCOS quantum evidence reports.

Project description

softquantus-verify

Independently verify QCOS quantum evidence — offline, without trusting SoftQuantus.

Every QCOS Bench report is content-hashed, identity-bound, and signed. This tool recomputes those hashes from the published report and checks the signature, so a regulator, auditor, or hardware vendor can confirm a result is authentic and untampered without contacting SoftQuantus and without the proprietary engine.

That independence is the point: a trust claim you can only check by asking the issuer is not a trust claim. This verifier is open source (MIT); the engine that produces evidence stays proprietary.

Install

pip install softquantus-verify

Only dependency: cryptography.

CLI

# Verify hashes and signature
softquantus-verify report.json --public-key softquantus.pem

# Verify hashes only (no key)
softquantus-verify report.json

# Machine-readable output for CI
softquantus-verify report.json -k softquantus.pem --json

Exit code is 0 when valid, non-zero otherwise — safe to gate a pipeline on.

Library

import json
from softquantus_verify import verify_report

report = json.load(open("report.json"))
result = verify_report(report, public_key=open("softquantus.pem", "rb").read())

print(result.status)              # "valid" | "invalid" | "unsigned" | "error"
print(result.content_hash_valid)  # recomputed == published
print(result.evidence_hash_valid)
print(result.signature_valid)     # True / False / None (no key)

What it checks

  1. content_hash — recomputed from the technical content (results, metrics, versions).
  2. evidence_hash — recomputed from the identity-bound content (the value that is signed).
  3. Signature — Ed25519 over the canonical payload evidence_hash|schema_version|ruleset_family.

The exact rules are documented in ../SPEC.md and are pinned to the server by fixtures generated from the production code (../fixtures).

License

MIT — see LICENSE.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

softquantus_verify-0.1.0.tar.gz (7.5 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

softquantus_verify-0.1.0-py3-none-any.whl (9.1 kB view details)

Uploaded Python 3

File details

Details for the file softquantus_verify-0.1.0.tar.gz.

File metadata

  • Download URL: softquantus_verify-0.1.0.tar.gz
  • Upload date:
  • Size: 7.5 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.12.7

File hashes

Hashes for softquantus_verify-0.1.0.tar.gz
Algorithm Hash digest
SHA256 8de312e4ecfb6bf12ae8c4cbaa0828dac13dc9160ec31a75719f99d3848623f8
MD5 4e7c99080fa3cf0a4a89c1d32b84336f
BLAKE2b-256 103b5afdaaebc5b23f2fcdcfba29dbdec832ab608fd128c09d5d358eb3e2446d

See more details on using hashes here.

File details

Details for the file softquantus_verify-0.1.0-py3-none-any.whl.

File metadata

File hashes

Hashes for softquantus_verify-0.1.0-py3-none-any.whl
Algorithm Hash digest
SHA256 39590ca1b404f5ca03fa5c1638060605d69f42d6b7ee308b6cd8b14a031d5f07
MD5 3de28a6401660ed8eadc231d9e99b2fd
BLAKE2b-256 6d2affbeb3b02bd0607801e443501d57ff1c971c773e65b7a5991fc7360bc938

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page