Standalone offline verifier for VERIDICT case bundles. Free and open: trust, but re-check.
Project description
veridict-verify
Standalone offline verifier for VERIDICT case bundles (.veridict.zip).
Free and open: trust, but re-check.
This package shares no runtime code with the VERIDICT engine. It re-checks hashes, signatures, timestamps, citation spans, corroboration ceilings, and graph semantics from the published bundle format so a skeptic does not have to trust the tool that produced the case. You do not need an account, a server, or the engine — only this package and the bundle you were handed.
Install
pip install veridict-verify
# optional RFC-3161 token parsing:
pip install 'veridict-verify[timestamps]'
Or from this repository:
pip install .
Usage
veridict-verify path/to/case.veridict.zip
veridict-verify path/to/case.veridict.zip --json
veridict-verify path/to/case.veridict.zip --trusted-key <sha256-fingerprint>
Try it right now on the demo bundle in this repository:
veridict-verify examples/demo.veridict.zip
Exit codes
| Code | Meaning |
|---|---|
| 0 | VALID — no findings |
| 2 | VALID WITH WARNINGS — integrity holds; review warnings (e.g. pending timestamps, single-source) |
| 1 | INVALID — hash/signature/semantic failure |
Key pinning
Cryptographic verification proves integrity, not identity. Pin a published investigator fingerprint:
veridict-verify case.veridict.zip --trusted-key abcdef...64hex...
See docs/key-policy.md for custody and publication guidance.
What it checks
- Manifest hash and Ed25519 signature; key id ↔ public key binding
- Append-only hash chain (seq, prev, body_hash, chain_hash, record signatures)
- Artifact CAS object re-hash; optional standalone
content_signature - Claim grounding (
supported-by), exact citation quote/offsets - Human
verified-bysignatures;contradicts/supersedessemantics - Independence corroboration ceilings (N vs M)
- RFC-3161 / OpenTimestamps proof structure where present
- Key-rotation statements (
veridict-key-rotation/1)
Documentation
Relationship to the VERIDICT engine
The engine that builds cases (capture, sealing, AI-assisted analysis, reporting) is developed separately. This verifier is intentionally independent so that opposing counsel, auditors, and editors can re-check conclusions without trusting — or even having — the engine. Conformance tests that exercise the verifier against engine-produced bundles run in the engine's CI on every commit.
License
MIT
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file veridict_verify-0.2.0.tar.gz.
File metadata
- Download URL: veridict_verify-0.2.0.tar.gz
- Upload date:
- Size: 30.1 kB
- Tags: Source
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
b3ff1cec9ffc869abf83272f7fad9ea95708be91abe520d7932aeba94959877f
|
|
| MD5 |
de95192aa2f46f434d9a7cf1cdfb3116
|
|
| BLAKE2b-256 |
6afd1f3e1eb1e78990a1356952073ee9573c7fb7c9517eb0e122745d03b761c8
|
Provenance
The following attestation bundles were made for veridict_verify-0.2.0.tar.gz:
Publisher:
release.yml on CXdefense/veridict-verify
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
veridict_verify-0.2.0.tar.gz -
Subject digest:
b3ff1cec9ffc869abf83272f7fad9ea95708be91abe520d7932aeba94959877f - Sigstore transparency entry: 2153102189
- Sigstore integration time:
-
Permalink:
CXdefense/veridict-verify@0b4e3ded0b74344cba46d56b1538df5fb0cd3032 -
Branch / Tag:
refs/tags/v0.2.0 - Owner: https://github.com/CXdefense
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
release.yml@0b4e3ded0b74344cba46d56b1538df5fb0cd3032 -
Trigger Event:
push
-
Statement type:
File details
Details for the file veridict_verify-0.2.0-py3-none-any.whl.
File metadata
- Download URL: veridict_verify-0.2.0-py3-none-any.whl
- Upload date:
- Size: 19.9 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
63b9c7050257fe77ffdf55d4f94b9cef75750bf81403248fa0fb9024ca307566
|
|
| MD5 |
f610d67d009011c4b91bb811fad9dc4b
|
|
| BLAKE2b-256 |
df05614fa82ff4a1a3352158127319f64bf97ada4905ab5d6894c11f7dffa654
|
Provenance
The following attestation bundles were made for veridict_verify-0.2.0-py3-none-any.whl:
Publisher:
release.yml on CXdefense/veridict-verify
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
veridict_verify-0.2.0-py3-none-any.whl -
Subject digest:
63b9c7050257fe77ffdf55d4f94b9cef75750bf81403248fa0fb9024ca307566 - Sigstore transparency entry: 2153102726
- Sigstore integration time:
-
Permalink:
CXdefense/veridict-verify@0b4e3ded0b74344cba46d56b1538df5fb0cd3032 -
Branch / Tag:
refs/tags/v0.2.0 - Owner: https://github.com/CXdefense
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
release.yml@0b4e3ded0b74344cba46d56b1538df5fb0cd3032 -
Trigger Event:
push
-
Statement type: