Conformance · Apache-2.0

Pass all six suites. Claim the badge.

A curated corpus of known-good and known-bad fixtures. Implementations that pass every mandatory suite may display the official "SignedReceipts compatible" badge.

SUITE 1 / mandatory

Schema validity (v1 + v2)

Validates that an envelope conforms to the v1 or v2 JSON Schema. v2 verifiers MUST reject envelopes whose v claim is not the integer 2, whose alg is not "ES256", or whose signature is not exactly 64 raw bytes (base64url, no padding) of P-256 r||s.

142 good68 bad
SUITE 2 / mandatory

Signature verification

ECDSA P-256 / SHA-256 for v2 (alg ES256, JOSE raw r||s). ECDSA P-256 / SHA-512 for v1 (alg ES512, DER, signed_fields canonicalisation). Includes deterministic-k vectors, malleable-signature attempts, key-mismatch cases, and dispatch correctness when both versions appear.

96 good128 bad
SUITE 3 / mandatory

Chain discipline

Sequence integrity, prev-hash chaining, replay-attack vectors, fork detection, and zeroes-only first-receipt edge case.

84 good112 bad
SUITE 4 / mandatory

Canonicalisation (RFC 8785 JCS)

Mandatory for v2 verifiers. Key ordering by UTF-16 code-units, IEEE 754 / ECMAScript number rendering, escape sequences, surrogate-pair handling, and round-trip byte equality for the published test vectors. v1 verifiers are exempt (they use the legacy ksort+JSON_UNESCAPED_SLASHES rule documented in spec §8.1 deprecated).

204 good82 bad
SUITE 5 / mandatory

Detector fingerprints

HMAC-SHA-256 substitution proofs, fingerprint-collision attempts, and PII leakage probes (must reject).

48 good96 bad
SUITE 6 / mandatory

Malicious mutation

Field reordering, whitespace insertion, JSON-injection attempts, and signature-stripping. All must be rejected.

12 good186 bad

Run the test suite

The corpus ships as standalone JSON. Any verifier that can read the fixtures may run the suite. The reference runner is bundled with the Rust and TypeScript implementations.

# Rust: clone, install, run all six suites
git clone /source/conformance/ && cd conformance
cargo install signedreceipt-cli
signedreceipt conformance run --vector ./vectors --report report.json
# prints per-suite pass/fail and emits a JSON report

# TypeScript
pnpm add -D @signedreceipts/conformance
npx signedreceipt-conformance ./vectors

What "passing" means

An implementation passes a suite when every good fixture verifies and every bad fixture is rejected with a deterministic error. Fixtures are ratified by the working group at each release; vendors may not skip individual fixtures to claim conformance.

Badge eligibility requires passing all six mandatory suites. Optional suites (FIPS, ML-DSA preview, post-quantum chain hashes) confer additional badge variants.

Claim the badge →