Verification

Verify evidence bundles offline. Auditors can validate integrity in air-gapped environments.

Offline verification

verify.shbash

# Extract the bundle
unzip evidence_bundle.zip

# Run verification
chmod +x verify.sh
./verify.sh

# Expected output:
# ✓ Signature valid
# ✓ Manifest hashes match
# ✓ Hash chain intact
# ✓ Timestamps consistent
# RESULT: Evidence bundle is AUTHENTIC

Offline verification requires no API calls and no dependency on Xase infrastructure.

What gets verified

Check             What it proves
Signature         Bundle was signed and not modified after issuance
Manifest          Files match declared hashes in the bundle manifest
Hash chain        Session/record chain pointers are consistent
Timestamps        Evidence timestamps are consistent and ordered

Manual verification (advanced)

# 1) Verify signature (manual)
openssl x509 -in certificate.pem -pubkey -noout > pubkey.pem
openssl dgst -sha256 -verify pubkey.pem -signature signatures/bundle.sig manifest.json
# Output: Verified OK

# 2) Verify manifest hashes
python3 - <<'PY'
import hashlib, json, pathlib
manifest = json.loads(pathlib.Path('manifest.json').read_text())
for entry in manifest['files']:
  p = pathlib.Path(entry['path'])
  digest = hashlib.sha256(p.read_bytes()).hexdigest()
  assert digest == entry['sha256'], (entry['path'], 'hash mismatch')
print('Manifest OK')
PY