← Back to Home

Independent verification

Verify a SatGate Evidence Pack.

SatGate Evidence Packs are designed to be checked without SatGate credentials. A verifier should fetch the pack, fetch issuer JWKS, canonicalize the signed receipt with RFC 8785 JCS, recompute the SHA-256 receipt hash, verify the Ed25519 signature, and compare unsigned pack mirrors against the signed receipt.

Clean-room verification

python3 -m venv .venv-verify
. .venv-verify/bin/activate
pip install cryptography rfc8785
curl -fsS https://api.satgate.io/v1/evidence/evid_QBBiz-GEI-stsaP6KS01-RL414Csuidv -o pack.json
curl -fsS https://api.satgate.io/.well-known/jwks.json -o jwks.json
python tools/verify_evidence_pack.py pack.json   --jwks-file jwks.json   --require-trusted-issuer

What the verifier checks

  • • Receipt schema version and production/mock markers.
  • • RFC 8785 canonical payload excluding receipt_hash and signature.
  • • SHA-256 receipt_hash and Ed25519 signature.
  • • Issuer JWKS at /.well-known/jwks.json; embedded public keys are fallback evidence, not issuer trust.
  • • Top-level pack mirrors and budget-state mirrors match the signed receipt.
  • • Optional evidence_pack_hash and secret redaction markers.

What this proves — and what it does not.

Proves

The signed receipt was emitted by the issuer key identified by issuer_kid; signed-field tampering fails; the pack mirrors agree with the signed receipt; bearer/capability secrets are redacted.

Does not prove by itself

Billing settlement, upstream counter reconciliation, Hybrid/MCP parity, instant revocation propagation, or broad production readiness unless those claims are separately evidenced.