Help — reviewer verification
What can a reviewer verify independently?
The reviewer-side verification surface: what the public verifier confirms, what it does not, and the offline path.
What the reviewer can verify independently
- The manifest (SHA-256 of every file in the kit) matches the contents of the ZIP.
- The signed receipt is valid against the AttestLayer registry’s published public key.
- The verification path resolves on the public verifier (or via the offline verify kit, with the registry’s public key alone).
- The submitting workspace identity matches the issuer named in the manifest.
- The issuance timestamp and registry checkpoint.
What the reviewer cannot verify with AttestLayer alone
- The truthfulness of the underlying supplied records.
- Compliance with any specific framework (SOC 2, ISO, HIPAA, PCI-DSS, GDPR).
- Legal positions, audit findings, or insurance coverage.
How to verify offline
Download the offline verify kit from registry.attestlayer.com/v1/verify-kit.zip and run the bundled verifier against the packet ZIP. The kit verifies signatures and the inclusion proof using the registry’s public key alone; no AttestLayer account is required.
Where to learn more
See the Reviewer pack and the Trust center.