Independently verify a Touchstone disclosure — zero dependencies, pure Python.
Project description
touchstone-verify
Independently verify a Touchstone disclosure — in pure Python, with zero dependencies. Read it before you trust it: it's a small, self-contained file.
A disclosure is a tamper-evident slice of an agent's action log. This package re-derives, with no trust in Touchstone, that the slice is intact (entry hashes recompute), attributed (the subject's Ed25519 signature holds, epoch-aware across key rotation), and ordered (hash-chained, with checkpoints that are append-only, server-signed, and witness-co-signed). It also checks selective-disclosure field proofs and reports the external anchors. It proves tampering by anyone who is not Touchstone — it does not prove completeness, and says so.
It agrees byte-for-byte with the other two Touchstone verifiers (verify.php, verifier.js):
all three are tested against the same conformance corpus.
Install
pip install touchstone-verify
Use
Command line — pass a file, a URL, or a disclosure token:
touchstone-verify https://touchstone.cv/d/833cd4ca23fbb940dd71843ca47a807e
touchstone-verify ./bundle.json
touchstone-verify 833cd4ca23fbb940dd71843ca47a807e # fetches from touchstone.cv
Exit code 0 = verified, 1 = a load-bearing check failed, 2 = couldn't load.
Library:
from touchstone_verify import verify_disclosure
import json, urllib.request
bundle = json.load(urllib.request.urlopen("https://touchstone.cv/d/<token>"))
result = verify_disclosure(bundle)
print(result["ok"]) # True / False
for e in result["entries"]:
for c in e["checks"]:
print(c["ok"], c["msg"])
Grade a receipt's columns by k
from touchstone_verify import grade_columns, find_columns
import json, urllib.request
doc = json.load(urllib.request.urlopen("https://touchstone.cv/columns/<recorder>/<seq>"))
cols, digest = find_columns(doc)
r = grade_columns(cols, digest)
print(r["coherent"], r["min_k"]) # True / cheapest falsehood path (min k across load-bearing columns)
k is the minimum number of independent parties who must collude before a column can be false,
computed from the evidence (never the declared grade): k=0 re-derivable, k = 1 + distinct-control witnesses (co-sigs collapse on a shared key or a receipt-carried controller binding, so it's an
upper bound), k=1 testimony. Declaring more strength than the evidence supports fails closed.
What it checks
- Integrity — every
entry_hashrecomputes from its fields, including the beacon fold: abeacon_bindingrecorder's entries carryserver_beacon = {chain, round, randomness}as a finalbeacon:<chain>:<round>:<randomness>line of the preimage (a checkable not-before). Absent → the exact legacy 7-field preimage, so older entries verify unchanged. - Attribution — the subject signature verifies over the canonical signed content; genesis
proof-of-possession;
key_rotationnew-key PoP; counterparty co-signatures. - Ordering —
prev_hashchain linkage; Merkle inclusion in the cited checkpoint. - Checkpoints — server signature over each Merkle root; append-only linkage between consecutive checkpoints; independent witness co-signatures.
- Selective disclosure — each revealed field proves Merkle inclusion in
payload_hash; withheld fields never appear in the bundle.
For split-view / Bitcoin-anchor cross-checking across independent relays, see the companion
gossip_check.py at https://touchstone.cv/gossip_check.py.
License
Project details
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file touchstone_verify-0.4.2.tar.gz.
File metadata
- Download URL: touchstone_verify-0.4.2.tar.gz
- Upload date:
- Size: 21.4 kB
- Tags: Source
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
1824beb3bd0c987db0bc56a48c9c7234b3e64b38519554ad08de57d8f0886f72
|
|
| MD5 |
714353948bd7205026788fba1be76c7a
|
|
| BLAKE2b-256 |
a79a6f4108fcd2cf9c872c31d9dfce97da686c12a3c7cd3768b3997b8aa9170e
|
Provenance
The following attestation bundles were made for touchstone_verify-0.4.2.tar.gz:
Publisher:
release.yml on Touchstone-CV/touchstone-verify
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
touchstone_verify-0.4.2.tar.gz -
Subject digest:
1824beb3bd0c987db0bc56a48c9c7234b3e64b38519554ad08de57d8f0886f72 - Sigstore transparency entry: 2142712227
- Sigstore integration time:
-
Permalink:
Touchstone-CV/touchstone-verify@4c1f7bf86a8d4c9f835ed808c7566b1d91704f05 -
Branch / Tag:
refs/tags/v0.4.2 - Owner: https://github.com/Touchstone-CV
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
release.yml@4c1f7bf86a8d4c9f835ed808c7566b1d91704f05 -
Trigger Event:
push
-
Statement type:
File details
Details for the file touchstone_verify-0.4.2-py3-none-any.whl.
File metadata
- Download URL: touchstone_verify-0.4.2-py3-none-any.whl
- Upload date:
- Size: 19.5 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
012498eddc6131a65faeba2f7e9495a6bbb95554f0dfe6d6222e5125847fc1e1
|
|
| MD5 |
3d40bd55c30d28ab0e0ca7a80cfb7aaf
|
|
| BLAKE2b-256 |
eb8ae6ab69e985581942134b484f2d59825ce21bbb29e7c9fb8491b1d65a1c42
|
Provenance
The following attestation bundles were made for touchstone_verify-0.4.2-py3-none-any.whl:
Publisher:
release.yml on Touchstone-CV/touchstone-verify
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
touchstone_verify-0.4.2-py3-none-any.whl -
Subject digest:
012498eddc6131a65faeba2f7e9495a6bbb95554f0dfe6d6222e5125847fc1e1 - Sigstore transparency entry: 2142712256
- Sigstore integration time:
-
Permalink:
Touchstone-CV/touchstone-verify@4c1f7bf86a8d4c9f835ed808c7566b1d91704f05 -
Branch / Tag:
refs/tags/v0.4.2 - Owner: https://github.com/Touchstone-CV
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
release.yml@4c1f7bf86a8d4c9f835ed808c7566b1d91704f05 -
Trigger Event:
push
-
Statement type: