/source/ · Rust binary · Apache-2.0 · SLSA 3

verifier-cli

v1.0.0

The single-binary signedreceipt CLI. Verify, show, and canonicalise SignedReceipts envelopes from a shell. Reproducible Rust build distributed via crates.io, Homebrew, Scoop, and winget.

ratified March 2026commit 8af4c92d22 files · 124 KB

About this artefact

signedreceipt is the canonical command-line tool. Subcommands include verify (single envelope), verify-chain (sequence under a common chain_id), show (pretty-print plus signature inspection), canonicalise (emit JCS canonical bytes), and jwks fetch (retrieve and pin a producer's JWKS). It is a single statically-linked binary with no runtime dependencies.

Builds are reproducible from the published tarball. Distribution channels include crates.io (cargo install signedreceipt), Homebrew, Scoop, winget, and a set of pre-built binaries with cosign signatures. The binary itself can be pointed at any conforming producer — there is nothing CloakAPI-specific in the verifier path.

Manifest

Tar.gz tarball download is published at the spec ratification cadence. Below is the current public manifest (SHA-256 fingerprints, file count, ratification commit).
PathSizeSHA-256
Cargo.toml1.0 KBf8eaea2a73af35d2345534b5229a2f2e6316552dd066d417dc4e7f882ac5b4c1
src/main.rs2.4 KBeaafff179e2ce329f2b14ceca47dbb2b75b1f5133ba4f6594087e8410bdcd856
src/cmd_verify.rs5.8 KB34150db5cc3c8ab62868021f62cf76330eab48b5139f0a34344c5d39707d5c13
src/cmd_chain.rs6.7 KBce03930db264861f249a758ba81eea5cd01a170ee9688b364d4a7a5dc3b55892
src/cmd_jwks.rs3.1 KB31a346cf6058108addca0a87dec8590072eada2ef2a9aece6ca9d6d2e6996708
22 files · 124 KB · ratification commit 8af4c92d · signed by working-group key wg-2026-03

Quick start

shell
# crates.io
cargo install signedreceipt

# Homebrew
brew install signedreceipts/tap/signedreceipt

# Scoop / winget on Windows
scoop install signedreceipt
winget install SignedReceipts.Verifier
shell
# Verify a single envelope
signedreceipt verify --jwks https://api.cloakapi.io/.well-known/jwks.json receipt.json

# Verify a chain from a JSONL file
signedreceipt verify-chain --jwks ./jwks.json chain.jsonl

# Pretty-print
signedreceipt show receipt.json

Issues / questions

Bug reports, patches, and security advisories all go to the working-group inbox.

open-source@cloakapi.io

Back to /source/ · related: spec · conformance · implementations