ainfera-verify

Trust no one. Verify the chain yourself.

ainfera-verify is the public, offline verifier for Ainfera AuditChains. It lets anyone — regulator, auditor, partner, curious developer — fetch an Agent's AuditChain and cryptographically verify it without trusting Ainfera or holding an Ainfera account.

This is the customer trust primitive behind Ainfera's audit-grade transparency claim: chain of custody you can check yourself.

Install

pip install ainfera-verify

Or with Homebrew:

brew install ainfera/tap/verify

Usage

Verify a full AuditChain by Agent ID (fetches from the public read endpoint, then verifies offline):

ainfera-verify chain manwe

Inspect a single AuditEvent:

ainfera-verify event manwe 1245

Verify an offline Annex IV bundle export (use this for air-gapped review):

ainfera-verify bundle ./manwe-2026-05-19.zip

What it verifies

For every AuditEvent in the chain:

1. Hash continuity — previous_hash matches the prior event's event_hash.
2. Event integrity — event_hash is the SHA-256 of previous_hash || canonical_json(payload).
3. HMAC signature — hmac_signature validates against the key fingerprint published at the /.well-known endpoint.
4. Sigstore signature — when present, validated against the Rekor transparency log.

If any check fails, the verifier reports the exact seq where the chain breaks.

Trust model

• The CLI ships under Apache 2.0. The verification logic is auditable.
• After events are fetched, verification is fully offline — no network calls, no Ainfera dependency.
• The key material is published at https://ainfera.ai/.well-known/ainfera-public-key.json and cached locally.
• For air-gapped verification, download the key once or use a bundle export (which embeds the key).

HMAC mode at launch · Ed25519 migration in v1.1

The launch release of the AuditChain signs each event with HMAC-SHA256. This means:

• Hash continuity (checks 1 + 2) is independent of who holds the signing key and is fully verifiable offline. A tampered chain breaks at the exact seq where the modification was introduced. This is the load-bearing security property.
• HMAC signature (check 3) is a symmetric construction. Verifying it requires trusting that the key fingerprint Ainfera publishes at /.well-known/ainfera-public-key.json is the same key used to sign events. There is no public/private key separation in HMAC mode.

Migration to Ed25519 asymmetric signing is planned for ainfera-verify v1.1. Once published, anyone will be able to verify HMAC and Ed25519 signatures independently, removing the key-fingerprint trust assumption. Progress tracker: https://github.com/ainfera-ai/verify/issues (filter ed25519-migration).

If your threat model requires asymmetric verification before v1.1 ships, you can pin the published key fingerprint out-of-band (e.g. via a regulator-attested document) and feed it to ainfera-verify --pinned-key-fingerprint.

EU AI Act Annex IV

Annex IV technical documentation requires verifiable evidence of system behavior. ainfera-verify bundle produces a pass/fail with the cryptographic chain of custody — sufficient evidence for a regulator's technical reviewer.

Web version

Don't want to install anything? Drop a bundle into verify.ainfera.ai. All verification runs in your browser.

License

Apache 2.0. See LICENSE.