Verify a signed artifact
Paste a Testrim signed run artifact below. We verify the Ed25519 signature in your browser using the Web Crypto API. No data leaves your machine.
Why this proves something
Every signed artifact embeds an Ed25519 public key + a signature. If verification passes, the contents have not been altered since the runner signed them. The signing private key never leaves the runner host — not even Testrim's servers ever hold it. An auditor (or you) holds the expected public key out-of-band; mismatch with the embedded key is itself a tamper signal.
Algorithms supported: ed25519-dsse-intoto-v1 (DSSE in-toto + SLSA Provenance v1, current) and ed25519-sha256-canonical-json-v1 (flat, legacy).
The sample is a real artifact from our hourly production monitor of testrim.com itself.
Prefer the command line? The same algorithms run in scripts/verify-artifact.py in the runner tarball (installed by ~/.testrim/runner/). Both yield identical pass/fail and emit the same field summary. See docs/SIGNED-ARTIFACT.md for the full envelope spec and a 30-LoC stdlib verifier example for auditors.