Guide: Verifying Bundles
Verify a XASE evidence bundle offline. Auditors can validate integrity in air-gapped environments.
Offline Verification
verify.shbash
# Extract the bundle
unzip evidence_bundle.zip
cd evidence_bundle
# Run verification
./verify.sh
# Expected output:
# ✓ Checking signature... Valid (RSA-SHA256)
# ✓ Checking hash chain... Intact (block 847 of 12,847)
# ✓ Checking timestamps... Consistent
# ✓ Checking model registry... Hash matches credit-scoring-v4.2.1
#
# RESULT: Evidence bundle is AUTHENTICWhat Gets Verified
Check What It Proves
Signature Bundle was signed by XASE KMS, not modified after
Hash Chain This record links to previous/next records correctly
Timestamps Decision and intervention times are consistent
Model Hash Model version matches registered model card
Actor Identity Human reviewer's identity is cryptographically boundPublic key/certificates and chain proofs are included in the bundle.
Manual Verification (Advanced)
# 1) Verify Signature (manual)
openssl x509 -in certificate.pem -pubkey -noout > pubkey.pem
openssl dgst -sha256 -verify pubkey.pem -signature signature.sig decision.json
# Output: Verified OK
# 2) Verify Record Hash
python3 - <<'PY'
import hashlib, json
with open('decision.json') as f:
decision = json.load(f)
record_hash = hashlib.sha256(
json.dumps(decision, sort_keys=True).encode()
).hexdigest()
assert record_hash == decision['hash']
print('Hash OK')
PY
# 3) Verify Timestamps
python3 - <<'PY'
from datetime import datetime
import json
with open('decision.json') as f:
decision = json.load(f)
with open('intervention.json') as f:
intervention = json.load(f)
assert datetime.fromisoformat(intervention['signed_at']) > datetime.fromisoformat(decision['created_at'])
print('Timestamps OK')
PY