AttestLayerAttestLayer
1-866-739-0570Sign inStart free Pilot

Verification

Every kit is independently verifiable — online or offline.

What gets verified

  1. File integrity: SHA-256 hash of every file in the kit matches the manifest.
  2. Manifest completeness: Every file in the kit has a corresponding hash in the manifest. No extra files, no missing entries.
  3. Receipt signature: receipt.json is signed with Ed25519. The issuer public key set is published at the Registry JWKS endpoint.
  4. Receipt binds to manifest: The receipt references the manifest root hash, ensuring the entire kit is covered by the signature.

Online verification (no server upload)

Open verify.attestlayer.com and use "Verify by Upload". The verifier runs locally in your browser:

  • It reads your kit.zip via file picker (no upload)
  • Recomputes all file hashes
  • Compares against manifest.json
  • Fetches the issuer JWKS from the registry and verifies the receipt signature
  • Displays VERIFIED / NOT VERIFIED with reason codes

Offline verification

Every kit.zip contains an offline verifier bundle. To verify without internet:

  1. Extract kit.zip
  2. Open verifier/index.html in any modern browser
  3. The verifier uses the bundled JWKS snapshot to check signatures
  4. All computation runs client-side — no network requests

Verification artifacts

FilePurpose
kit/manifest.jsonSHA-256 hash index of the normalized artifact tree
kit/receipt.jsonEd25519-signed receipt binding to the manifest root hash
kit/verifier/jwks.jsonIssuer public key snapshot for fully offline signature verification
kit/verifier/Self-contained offline verifier (HTML + JS)
kit/diff.json and diff.jsonDiff payload shipped in the kit and as a standalone artifact; the status field shows whether comparison data was available
registry/registry_receipt.jsonTransparency log receipt embedded as a top-level sibling of kit/

JWKS endpoint

Public keys for receipt verification are published at:

# Canonical (registry)
GET https://registry.attestlayer.com/v1/jwks/issuer.jwks.json

# Mirror (optional)
GET https://api.attestlayer.com/.well-known/jwks.json

Each issued kit also includes kit/verifier/jwks.json so the bundled offline verifier can validate signatures without fetching keys.

← Back to docs