reference-rust
v1.0.0The canonical Rust crate for producing and verifying SignedReceipts envelopes. JCS canonicalisation, ECDSA P-256, chain validation, and a FIPS-validated path via aws-lc-rs.
About this artefact
signedreceipts is the reference Rust crate for the OpenReceipt envelope format. It ships a producer API for emitting signed receipts, a verifier core that is no_std-compatible, JCS canonicalisation per RFC 8785, ECDSA P-256 signing, chain discipline enforcement, and a streaming validator for long chains. The crate has a minimum supported Rust version (MSRV) of 1.75 and is published to crates.io with SLSA 3 build provenance.
An optional fips feature swaps the default ring backend for aws-lc-rs, which on supported targets uses the FIPS 140-3 validated AWS-LC module (CMVP certificate #4759). Build determinism is enforced in CI: every released tarball produces the exact same SHA-256 manifest from a clean checkout. The crate is dual-distributed — as a tarball here on signedreceipts.org and as a versioned release on crates.io — with the same signing key over both surfaces.
Manifest
| Path | Size | SHA-256 |
|---|---|---|
Cargo.toml | 1.4 KB | 9564b445610c67e5641836ff6a24223acbe369079cc787bf7b707c405b34382e |
src/lib.rs | 8.2 KB | b517246a2f2c10942c64fde48c0a581bcb85776f40aaf6453913d806d5048c72 |
src/canonical.rs | 5.7 KB | a8044b6265c751d645208e1e67709af6a88509b6b7761780183c5ec710759192 |
src/sign.rs | 6.1 KB | 39d6a69e2b97bd0e9b8d1ecfdacbfb15e697580987307e4661e368d795e8b577 |
src/verify.rs | 9.4 KB | b2e5e4e18868f51c576a82cbd10adfa8e048c321073a4043998ea61bbdf53b75 |
8af4c92d · signed by working-group key wg-2026-03Quick start
[dependencies]
signedreceipts = "1.0"
# FIPS-validated path:
# signedreceipts = { version = "1.0", features = ["fips"] }
use signedreceipts::{Verifier, Receipt};
let receipt: Receipt = serde_json::from_slice(bytes)?;
let verifier = Verifier::with_jwks_url("https://api.cloakapi.io/.well-known/jwks.json").await?;
verifier.verify(&receipt)?;
Issues / questions
Bug reports, patches, and security advisories all go to the working-group inbox.
Back to /source/ · related: spec · conformance · implementations