🏆 Buyer-Grade Verification

Gold-Standard Evidence Pack

Externally verifiable cryptographic integrity + reproducible test run artefacts. RFC 8785 canonical JSON, publicly sourced authority data (OFAC SDN).

Portability Pack (ECDSA P-256) — For maximum tooling compatibility. PQC pack (ML-DSA-65 / FIPS 204) available under NDA.

📦 Pack Overview

Evidence Pack ID: cc158ae1-b505-4ae3-b5a6-d10bfa0ca114

🔐 Cryptographic Attestation

Pack Hash (SHA-256)b87554396e3813391acbbcca82d083a164ca3b61734027e56a42b582d14b923a
Signing AlgorithmECDSA P-256 (portability); ML-DSA-65 pack under NDA
CanonicalisationRFC 8785 JCS
Signed At2025-12-24T09:45:14Z
Release Versionsdk-23.0.0

✅ Attestation Claims

  • INTEGRITY: All files match manifest hashes
  • PUBLIC_AUTHORITY_DATA: All data sourced from publicly available OFAC SDN sanctions list
  • NO_MOCKS: Zero mocked, simulated, or hardcoded values
  • REAL_MATCHING: Scores computed via Jaro-Winkler fuzzy matching
  • NO_CUSTOMER_DATA: No customer data or customer PII. Contains only public sanctions authority data (OFAC SDN) used for reproducibility.

✅ Verification Report

Status: PASS_WITH_WARNINGS — 12/12 checks passed, 0 errors, 2 warnings

load_required_files
3ms
parse_and_validate_json
2ms
canonicalisation_check
1ms
compute_manifest_hashes
14ms
verify_signatures
139ms
verify_authority_snapshots
3ms
verify_dataset_and_licence
1ms
verify_determinism_config
0ms
recompute_metrics_fail_closed
1ms
verify_sbom
SBOM not present (optional)
verify_provenance_optional
SLSA provenance not present (optional)
privacy_scan_no_private_context
8ms

📁 Pack Structure

Complete directory layout with file roles and integrity hashes.

gold_evidence_pack/
├── MANIFEST.canonical.json      # RFC 8785 JCS canonical manifest
├── MANIFEST.sha256              # SHA256 hash of manifest
├── ATTESTATION.json             # Cryptographic attestation
├── ATTESTATION.sha256           # SHA256 hash of attestation
├── ATTESTATION.sig              # ECDSA P-256 signature
├── AUTHORITY_SNAPSHOTS/
│   └── ofac_sdn/                # OFAC SDN authority snapshot
│       ├── raw_download.bin     # Original OFAC download
│       ├── normalised_snapshot.json
│       ├── provenance.json      # Download metadata
│       └── *.sha256             # Hash files
├── DATASET/
│   ├── eval_dataset.jsonl       # Evaluation dataset (real data)
│   ├── labels.jsonl             # Ground truth labels
│   └── LICENCE.txt
├── CONFIG/
│   ├── determinism_config.json  # Deterministic run config
│   └── threshold_config.json    # Matching thresholds
├── OUTPUT/
│   ├── decisions.jsonl          # Evaluation decisions
│   └── metrics.json             # Computed metrics
├── RUN/
│   └── runtime_env_fingerprint.json
├── KEYS/
│   ├── signing_public_key.pem   # ECDSA P-256 public key
│   └── key_fingerprint.txt
├── VERIFY/
│   ├── verify.py                # Verification tool
│   └── CONTRACT/                # Verifier contract files
├── UAT_REPORT.json              # UAT execution report
└── VERIFY_REPORT.json           # Verification report

🖥️ Offline Verification

Verify the pack independently — no QuantumVerify infrastructure required.

Step 1: Download the Pack

# Request the Evidence Pack under NDA:
# https://www.quantumverify.io/request-diligence-pack.html
# After NDA execution, download and unzip:
unzip QV_GOLD_EVIDENCEPACK_sdk-23.0.0_cc158ae1.zip

Step 2: Verify Manifest Integrity

# Verify manifest hash
sha256sum -c MANIFEST.sha256

# Expected output:
# MANIFEST.canonical.json: OK

Step 3: Verify ECDSA Signature

# Verify pack signature using OpenSSL
openssl dgst -sha256 -verify KEYS/signing_public_key.pem \
    -signature ATTESTATION.sig ATTESTATION.sha256

# Expected output:
# Verified OK

Step 4: Run Full Verification Suite

# Run the included verification tool (tested: Ubuntu 22.04+, Python 3.11+, OpenSSL 3.x)
python VERIFY/verify.py .

# Expected output:
# ✔ All 12 checks passed
# Status: PASS_WITH_WARNINGS

Step 5: Verify Authority Snapshot Against Original Source

# Compare authority snapshot hash to independently downloaded OFAC SDN
curl https://www.treasury.gov/ofac/downloads/sdn.csv | sha256sum

# Compare output to: AUTHORITY_SNAPSHOTS/ofac_sdn/raw_download.sha256

📊 UAT Test Results

All core UAT tests pass, demonstrating pack integrity and verification capability.

Test IDDescriptionStatus
UAT-001Pack Integrity Verification✅ PASS
UAT-002Offline Verification Mode✅ PASS
UAT-003Tamper Detection✅ PASS
UAT-004Metrics Recomputation✅ PASS
UAT-005Authority Snapshot Validation✅ PASS
UAT-006Determinism Verification✅ PASS

🔐 Verifier Contract

Stable verification contract with fixed checks and error codes.

13

Checks in fixed order

21

Error codes with frozen meanings

BSD

sysexits-compliant exit codes

Exit Codes

CodeMeaning
0PASS / PASS_WITH_WARNINGS
1Verification FAIL
64Usage error (EX_USAGE)
65Data/format error (EX_DATAERR)
66Missing input (EX_NOINPUT)
70Software error (EX_SOFTWARE)
71OS/runtime error (EX_OSERR)

Download Gold-Standard Evidence Pack

Get the complete evidence pack with all verification tools and documentation.

Request Evidence Pack (NDA) → Trust Centre →