Skip to main content

Independently verify a Touchstone disclosure — zero dependencies, pure Python.

Project description

touchstone-verify

Independently verify a Touchstone disclosure — in pure Python, with zero dependencies. Read it before you trust it: it's a small, self-contained file.

A disclosure is a tamper-evident slice of an agent's action log. This package re-derives, with no trust in Touchstone, that the slice is intact (entry hashes recompute), attributed (the subject's Ed25519 signature holds, epoch-aware across key rotation), and ordered (hash-chained, with checkpoints that are append-only, server-signed, and witness-co-signed). It also checks selective-disclosure field proofs and reports the external anchors. It proves tampering by anyone who is not Touchstone — it does not prove completeness, and says so.

It agrees byte-for-byte with the other two Touchstone verifiers (verify.php, verifier.js): all three are tested against the same conformance corpus.

Install

pip install touchstone-verify

Use

Command line — pass a file, a URL, or a disclosure token:

touchstone-verify https://touchstone.cv/d/833cd4ca23fbb940dd71843ca47a807e
touchstone-verify ./bundle.json
touchstone-verify 833cd4ca23fbb940dd71843ca47a807e        # fetches from touchstone.cv

Exit code 0 = verified, 1 = a load-bearing check failed, 2 = couldn't load.

Library:

from touchstone_verify import verify_disclosure
import json, urllib.request

bundle = json.load(urllib.request.urlopen("https://touchstone.cv/d/<token>"))
result = verify_disclosure(bundle)
print(result["ok"])           # True / False
for e in result["entries"]:
    for c in e["checks"]:
        print(c["ok"], c["msg"])

What it checks

  • Integrity — every entry_hash recomputes from its fields.
  • Attribution — the subject signature verifies over the canonical signed content; genesis proof-of-possession; key_rotation new-key PoP; counterparty co-signatures.
  • Orderingprev_hash chain linkage; Merkle inclusion in the cited checkpoint.
  • Checkpoints — server signature over each Merkle root; append-only linkage between consecutive checkpoints; independent witness co-signatures.
  • Selective disclosure — each revealed field proves Merkle inclusion in payload_hash; withheld fields never appear in the bundle.

For split-view / Bitcoin-anchor cross-checking across independent relays, see the companion gossip_check.py at https://touchstone.cv/gossip_check.py.

License

Apache-2.0.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

touchstone_verify-0.3.2.tar.gz (15.9 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

touchstone_verify-0.3.2-py3-none-any.whl (15.4 kB view details)

Uploaded Python 3

File details

Details for the file touchstone_verify-0.3.2.tar.gz.

File metadata

  • Download URL: touchstone_verify-0.3.2.tar.gz
  • Upload date:
  • Size: 15.9 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for touchstone_verify-0.3.2.tar.gz
Algorithm Hash digest
SHA256 92f7d0f218e991c6b123f6c8d6f7b47f2a3657177dcb7d07a40482ae292653f8
MD5 9e543a9ea464ff4873216458fec22a97
BLAKE2b-256 2f54341b3cff89c282ccf6ee4616691816c7d925d844df8ae2dd69ad52d3182d

See more details on using hashes here.

Provenance

The following attestation bundles were made for touchstone_verify-0.3.2.tar.gz:

Publisher: release.yml on Touchstone-CV/touchstone-verify

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file touchstone_verify-0.3.2-py3-none-any.whl.

File metadata

File hashes

Hashes for touchstone_verify-0.3.2-py3-none-any.whl
Algorithm Hash digest
SHA256 4f05c6239bd6a8db9a48f07afa57695db99974e73fedc516864e2488177e8364
MD5 c8067ace788e754b4bff1b41b1c417d1
BLAKE2b-256 86cdbac622b03b398e485cc4050a5b14bdd990ecc8a97dfefd84a6194029fbaa

See more details on using hashes here.

Provenance

The following attestation bundles were made for touchstone_verify-0.3.2-py3-none-any.whl:

Publisher: release.yml on Touchstone-CV/touchstone-verify

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page