/source/ · Rust 1.75+ · Apache-2.0 · FIPS feature

reference-rust

v1.0.0

The canonical Rust crate for producing and verifying SignedReceipts envelopes. JCS canonicalisation, ECDSA P-256, chain validation, and a FIPS-validated path via aws-lc-rs.

ratified March 2026commit 8af4c92d47 files · 312 KB

About this artefact

signedreceipts is the reference Rust crate for the OpenReceipt v1.0 envelope format. It ships a producer API for emitting signed receipts, a verifier core that is no_std-compatible, JCS canonicalisation per RFC 8785, ECDSA P-256 signing, chain discipline enforcement, and a streaming validator for long chains. The crate has a minimum supported Rust version (MSRV) of 1.75 and is published to crates.io with SLSA 3 build provenance.

An optional fips feature swaps the default ring backend for aws-lc-rs, which on supported targets uses the FIPS 140-3 validated AWS-LC module (CMVP certificate #4759). Build determinism is enforced in CI: every released tarball produces the exact same SHA-256 manifest from a clean checkout. The crate is dual-distributed — as a tarball here on signedreceipts.org and as a versioned release on crates.io — with the same signing key over both surfaces.

Manifest

Tar.gz tarball download is published at the spec ratification cadence. Below is the current public manifest (SHA-256 fingerprints, file count, ratification commit).
PathSizeSHA-256
Cargo.toml1.4 KB9564b445610c67e5641836ff6a24223acbe369079cc787bf7b707c405b34382e
src/lib.rs8.2 KBb517246a2f2c10942c64fde48c0a581bcb85776f40aaf6453913d806d5048c72
src/canonical.rs5.7 KBa8044b6265c751d645208e1e67709af6a88509b6b7761780183c5ec710759192
src/sign.rs6.1 KB39d6a69e2b97bd0e9b8d1ecfdacbfb15e697580987307e4661e368d795e8b577
src/verify.rs9.4 KBb2e5e4e18868f51c576a82cbd10adfa8e048c321073a4043998ea61bbdf53b75
47 files · 312 KB · ratification commit 8af4c92d · signed by working-group key wg-2026-03

Quick start

Cargo.toml
[dependencies]
signedreceipts = "1.0"

# FIPS-validated path:
# signedreceipts = { version = "1.0", features = ["fips"] }
src/main.rs
use signedreceipts::{Verifier, Receipt};

let receipt: Receipt = serde_json::from_slice(bytes)?;
let verifier = Verifier::with_jwks_url("https://api.cloakapi.io/.well-known/jwks.json").await?;
verifier.verify(&receipt)?;

Issues / questions

Bug reports, patches, and security advisories all go to the working-group inbox.

open-source@cloakapi.io

Back to /source/ · related: spec · conformance · implementations