Trust Spine · /keys
Trust roots & signing keys
Every signed Project-AI artifact resolves to one of these published keys. Use them to verify receipts offline; do not trust receipts whose signer id does not appear here.
Active signing keys
| Key id | Role | Alg | Fingerprint | Issued | Expires | Status |
|---|---|---|---|---|---|---|
| pai-audit-2026-q2 | Audit ledger — receipt signing | Ed25519 | SHA256:7e3b91d6c2a0… (published with release) | 2026-04-01 | 2026-09-30 | ACTIVE |
| pai-warrant-2026 | Governance warrant signing | Ed25519 | SHA256:ab18ff04e6d1… (published with release) | 2026-01-15 | 2026-12-31 | ACTIVE |
TSA roots (RFC 3161 timestamping)
DigiCert TSA
PINNEDRFC 3161 timestamping
DigiCert Assured ID Timestamping CA
Offline verification — canonical sequence
The same four-step sequence is reproduced on /verify, /reproduce, /evidence, and /faq. Run them in order against a downloaded receipt + signature + TSR.
Ed25519 signature
# 1. Verify Ed25519 signature over the receipt JSON openssl pkeyutl \ -verify \ -pubin -inkey pai-audit-2026-q2.pub \ -rawin -in receipt.json \ -sigfile receipt.sig
RFC 3161 timestamp
# 2. Verify RFC 3161 timestamp from the TSA openssl ts -verify \ -in receipt.tsr \ -data receipt.json \ -CAfile digicert-tsa-roots.pem
Receipt hash
# 3. Recompute the receipt hash and compare to the receipt body sha256sum receipt.json # expected = receipt_hash field inside receipt.json
Chain continuity
# 4. Walk the chain: every receipt's prev_hash must equal the
# receipt_hash of the previous entry (chain_seq - 1).
jq -r '[.chain_seq, .prev_hash, .receipt_hash] | @tsv' chain/*.json \
| sort -n | awk 'NR>1 && $2 != prev { print "BREAK at seq", $1; exit 1 } { prev = $3 }'Key material is distributed with each release artifact on Zenodo and GitHub. Compare the fingerprint above to the file you downloaded before trusting it. Public key files: pai-audit-2026-q2.pub, pai-warrant-2026.pub — bundled with each release; SHA-256 checksums published alongside.
Rotation log
- 2026-04-01Audit signing key rotated: pai-audit-2025-q4 → pai-audit-2026-q2.
- 2026-01-15Warrant signing key established for 2026 cycle.
- 2025-10-02Genesis audit signing key archived; chain continuity preserved.