proofbundle 0.4.0__tar.gz → 0.4.1__tar.gz
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- {proofbundle-0.4.0/src/proofbundle.egg-info → proofbundle-0.4.1}/PKG-INFO +4 -4
- {proofbundle-0.4.0 → proofbundle-0.4.1}/README.md +3 -3
- {proofbundle-0.4.0 → proofbundle-0.4.1}/pyproject.toml +1 -1
- {proofbundle-0.4.0 → proofbundle-0.4.1}/src/proofbundle/__init__.py +1 -1
- {proofbundle-0.4.0 → proofbundle-0.4.1}/src/proofbundle/emit.py +2 -29
- {proofbundle-0.4.0 → proofbundle-0.4.1}/src/proofbundle/sdjwt.py +1 -1
- {proofbundle-0.4.0 → proofbundle-0.4.1/src/proofbundle.egg-info}/PKG-INFO +4 -4
- {proofbundle-0.4.0 → proofbundle-0.4.1}/LICENSE +0 -0
- {proofbundle-0.4.0 → proofbundle-0.4.1}/setup.cfg +0 -0
- {proofbundle-0.4.0 → proofbundle-0.4.1}/src/proofbundle/adapters/__init__.py +0 -0
- {proofbundle-0.4.0 → proofbundle-0.4.1}/src/proofbundle/adapters/inspect_ai.py +0 -0
- {proofbundle-0.4.0 → proofbundle-0.4.1}/src/proofbundle/adapters/lm_eval.py +0 -0
- {proofbundle-0.4.0 → proofbundle-0.4.1}/src/proofbundle/bundle.py +0 -0
- {proofbundle-0.4.0 → proofbundle-0.4.1}/src/proofbundle/cli.py +0 -0
- {proofbundle-0.4.0 → proofbundle-0.4.1}/src/proofbundle/errors.py +0 -0
- {proofbundle-0.4.0 → proofbundle-0.4.1}/src/proofbundle/evalclaim.py +0 -0
- {proofbundle-0.4.0 → proofbundle-0.4.1}/src/proofbundle/merkle.py +0 -0
- {proofbundle-0.4.0 → proofbundle-0.4.1}/src/proofbundle/py.typed +0 -0
- {proofbundle-0.4.0 → proofbundle-0.4.1}/src/proofbundle/signature.py +0 -0
- {proofbundle-0.4.0 → proofbundle-0.4.1}/src/proofbundle.egg-info/SOURCES.txt +0 -0
- {proofbundle-0.4.0 → proofbundle-0.4.1}/src/proofbundle.egg-info/dependency_links.txt +0 -0
- {proofbundle-0.4.0 → proofbundle-0.4.1}/src/proofbundle.egg-info/entry_points.txt +0 -0
- {proofbundle-0.4.0 → proofbundle-0.4.1}/src/proofbundle.egg-info/requires.txt +0 -0
- {proofbundle-0.4.0 → proofbundle-0.4.1}/src/proofbundle.egg-info/top_level.txt +0 -0
- {proofbundle-0.4.0 → proofbundle-0.4.1}/tests/test_adapters.py +0 -0
- {proofbundle-0.4.0 → proofbundle-0.4.1}/tests/test_bundle.py +0 -0
- {proofbundle-0.4.0 → proofbundle-0.4.1}/tests/test_cli.py +0 -0
- {proofbundle-0.4.0 → proofbundle-0.4.1}/tests/test_cli_eval.py +0 -0
- {proofbundle-0.4.0 → proofbundle-0.4.1}/tests/test_emit.py +0 -0
- {proofbundle-0.4.0 → proofbundle-0.4.1}/tests/test_eval_claim_schema.py +0 -0
- {proofbundle-0.4.0 → proofbundle-0.4.1}/tests/test_evalclaim.py +0 -0
- {proofbundle-0.4.0 → proofbundle-0.4.1}/tests/test_merkle.py +0 -0
- {proofbundle-0.4.0 → proofbundle-0.4.1}/tests/test_merkle_property.py +0 -0
- {proofbundle-0.4.0 → proofbundle-0.4.1}/tests/test_rekor_interop.py +0 -0
- {proofbundle-0.4.0 → proofbundle-0.4.1}/tests/test_rfc6962_external_vectors.py +0 -0
- {proofbundle-0.4.0 → proofbundle-0.4.1}/tests/test_schema.py +0 -0
- {proofbundle-0.4.0 → proofbundle-0.4.1}/tests/test_sdjwt_reference.py +0 -0
- {proofbundle-0.4.0 → proofbundle-0.4.1}/tests/test_signature.py +0 -0
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
Metadata-Version: 2.4
|
|
2
2
|
Name: proofbundle
|
|
3
|
-
Version: 0.4.
|
|
3
|
+
Version: 0.4.1
|
|
4
4
|
Summary: Emit and verify portable cryptographic evidence bundles, offline: Ed25519 + RFC 6962 Merkle + optional SD-JWT.
|
|
5
5
|
Author: Konrad Gruszka
|
|
6
6
|
License: MIT
|
|
@@ -61,7 +61,7 @@ selectively disclosable credential. Pure Python, no server, no daemon, one JSON
|
|
|
61
61
|
|
|
62
62
|
**At a glance:** `proofbundle emit` signs and anchors a payload; `proofbundle
|
|
63
63
|
verify` checks one self-contained `bundle.json` with three offline cryptographic
|
|
64
|
-
checks → `OK` or `FAILED`. No network, no daemon, no own crypto.
|
|
64
|
+
checks → `OK` or `FAILED`. No network, no daemon, no own crypto. 50 tests.
|
|
65
65
|
|
|
66
66
|
## Contents
|
|
67
67
|
|
|
@@ -241,12 +241,12 @@ string uses base64url as per the spec.
|
|
|
241
241
|
|
|
242
242
|
## Security notes and scope, stated honestly
|
|
243
243
|
|
|
244
|
-
|
|
244
|
+
The scope is deliberately narrow. It does exactly what it says and no more:
|
|
245
245
|
|
|
246
246
|
- Ed25519 signatures only, for both the payload and the optional SD-JWT issuer
|
|
247
247
|
signature.
|
|
248
248
|
- SD-JWT: the SD-JWT core is now [RFC 9901](https://datatracker.ietf.org/doc/rfc9901/)
|
|
249
|
-
(
|
|
249
|
+
(November 2025); this verifies that every presented disclosure is committed in the
|
|
250
250
|
issuer-signed payload, and the issuer signature (EdDSA) if a key is supplied. It
|
|
251
251
|
does **not** verify a Key Binding JWT, an X.509 or trust-list chain, status
|
|
252
252
|
lists, or `vct` type metadata. **SD-JWT VC** (the credential-type profile) is
|
|
@@ -22,7 +22,7 @@ selectively disclosable credential. Pure Python, no server, no daemon, one JSON
|
|
|
22
22
|
|
|
23
23
|
**At a glance:** `proofbundle emit` signs and anchors a payload; `proofbundle
|
|
24
24
|
verify` checks one self-contained `bundle.json` with three offline cryptographic
|
|
25
|
-
checks → `OK` or `FAILED`. No network, no daemon, no own crypto.
|
|
25
|
+
checks → `OK` or `FAILED`. No network, no daemon, no own crypto. 50 tests.
|
|
26
26
|
|
|
27
27
|
## Contents
|
|
28
28
|
|
|
@@ -202,12 +202,12 @@ string uses base64url as per the spec.
|
|
|
202
202
|
|
|
203
203
|
## Security notes and scope, stated honestly
|
|
204
204
|
|
|
205
|
-
|
|
205
|
+
The scope is deliberately narrow. It does exactly what it says and no more:
|
|
206
206
|
|
|
207
207
|
- Ed25519 signatures only, for both the payload and the optional SD-JWT issuer
|
|
208
208
|
signature.
|
|
209
209
|
- SD-JWT: the SD-JWT core is now [RFC 9901](https://datatracker.ietf.org/doc/rfc9901/)
|
|
210
|
-
(
|
|
210
|
+
(November 2025); this verifies that every presented disclosure is committed in the
|
|
211
211
|
issuer-signed payload, and the issuer signature (EdDSA) if a key is supplied. It
|
|
212
212
|
does **not** verify a Key Binding JWT, an X.509 or trust-list chain, status
|
|
213
213
|
lists, or `vct` type metadata. **SD-JWT VC** (the credential-type profile) is
|
|
@@ -4,7 +4,7 @@ build-backend = "setuptools.build_meta"
|
|
|
4
4
|
|
|
5
5
|
[project]
|
|
6
6
|
name = "proofbundle"
|
|
7
|
-
version = "0.4.
|
|
7
|
+
version = "0.4.1"
|
|
8
8
|
description = "Emit and verify portable cryptographic evidence bundles, offline: Ed25519 + RFC 6962 Merkle + optional SD-JWT."
|
|
9
9
|
readme = "README.md"
|
|
10
10
|
requires-python = ">=3.9"
|
|
@@ -13,7 +13,7 @@ from .emit import emit_bundle, generate_signer
|
|
|
13
13
|
from .errors import Check, ProofBundleError, VerificationResult
|
|
14
14
|
from .merkle import verify_consistency, verify_inclusion
|
|
15
15
|
|
|
16
|
-
__version__ = "0.4.
|
|
16
|
+
__version__ = "0.4.1"
|
|
17
17
|
|
|
18
18
|
__all__ = [
|
|
19
19
|
"__version__",
|
|
@@ -5,9 +5,8 @@ Merkle tree, producing a bundle that ``verify_bundle`` accepts. This is the
|
|
|
5
5
|
counterpart to the verifier: create the evidence here, check it anywhere with
|
|
6
6
|
``proofbundle verify``, fully offline.
|
|
7
7
|
|
|
8
|
-
The
|
|
9
|
-
|
|
10
|
-
module.
|
|
8
|
+
The eval-receipt emitter that builds on this (``emit_eval_receipt``) lives in
|
|
9
|
+
:mod:`proofbundle.evalclaim` since v0.4.
|
|
11
10
|
"""
|
|
12
11
|
|
|
13
12
|
from __future__ import annotations
|
|
@@ -110,29 +109,3 @@ def emit_bundle(
|
|
|
110
109
|
if sd_jwt_vc is not None:
|
|
111
110
|
bundle["sd_jwt_vc"] = sd_jwt_vc
|
|
112
111
|
return bundle
|
|
113
|
-
|
|
114
|
-
|
|
115
|
-
# --------------------------------------------------------------------------
|
|
116
|
-
# Roadmap stub, v0.3
|
|
117
|
-
# --------------------------------------------------------------------------
|
|
118
|
-
|
|
119
|
-
|
|
120
|
-
class NotYetImplemented(NotImplementedError):
|
|
121
|
-
"""Raised by roadmap functions that are planned but not implemented yet."""
|
|
122
|
-
|
|
123
|
-
|
|
124
|
-
def emit_eval_receipt(*args, **kwargs): # pragma: no cover - roadmap stub
|
|
125
|
-
"""v0.3, the core differentiator.
|
|
126
|
-
|
|
127
|
-
Wrap one evaluation framework run (Inspect AI, lm-evaluation-harness) into a
|
|
128
|
-
signed receipt whose payload is a minimal, RFC 8785 canonicalized claim such
|
|
129
|
-
as ``{"suite": "...", "threshold": 0.8, "passed": true}``, optionally wrapped
|
|
130
|
-
as an SD-JWT VC so a holder can disclose "passed above threshold" without
|
|
131
|
-
revealing the model, weights or dataset, carrying a cluster-bootstrap
|
|
132
|
-
confidence interval, a multiple-testing correction and a preregistration
|
|
133
|
-
hash. Built on top of :func:`emit_bundle`.
|
|
134
|
-
"""
|
|
135
|
-
raise NotYetImplemented(
|
|
136
|
-
"emit_eval_receipt lands in v0.3. Use emit_bundle for a generic signed, "
|
|
137
|
-
"anchored bundle today."
|
|
138
|
-
)
|
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
"""Minimal SD-JWT selective disclosure verification.
|
|
2
2
|
|
|
3
|
-
The SD-JWT *core* is now a published standard, RFC 9901 (
|
|
3
|
+
The SD-JWT *core* is now a published standard, RFC 9901 (November 2025). This
|
|
4
4
|
module verifies the heart of it: that every presented Disclosure hashes to a
|
|
5
5
|
digest that is actually committed in the issuer-signed JWT payload, and, if an
|
|
6
6
|
issuer public key is supplied and the algorithm is EdDSA, that the issuer
|
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
Metadata-Version: 2.4
|
|
2
2
|
Name: proofbundle
|
|
3
|
-
Version: 0.4.
|
|
3
|
+
Version: 0.4.1
|
|
4
4
|
Summary: Emit and verify portable cryptographic evidence bundles, offline: Ed25519 + RFC 6962 Merkle + optional SD-JWT.
|
|
5
5
|
Author: Konrad Gruszka
|
|
6
6
|
License: MIT
|
|
@@ -61,7 +61,7 @@ selectively disclosable credential. Pure Python, no server, no daemon, one JSON
|
|
|
61
61
|
|
|
62
62
|
**At a glance:** `proofbundle emit` signs and anchors a payload; `proofbundle
|
|
63
63
|
verify` checks one self-contained `bundle.json` with three offline cryptographic
|
|
64
|
-
checks → `OK` or `FAILED`. No network, no daemon, no own crypto.
|
|
64
|
+
checks → `OK` or `FAILED`. No network, no daemon, no own crypto. 50 tests.
|
|
65
65
|
|
|
66
66
|
## Contents
|
|
67
67
|
|
|
@@ -241,12 +241,12 @@ string uses base64url as per the spec.
|
|
|
241
241
|
|
|
242
242
|
## Security notes and scope, stated honestly
|
|
243
243
|
|
|
244
|
-
|
|
244
|
+
The scope is deliberately narrow. It does exactly what it says and no more:
|
|
245
245
|
|
|
246
246
|
- Ed25519 signatures only, for both the payload and the optional SD-JWT issuer
|
|
247
247
|
signature.
|
|
248
248
|
- SD-JWT: the SD-JWT core is now [RFC 9901](https://datatracker.ietf.org/doc/rfc9901/)
|
|
249
|
-
(
|
|
249
|
+
(November 2025); this verifies that every presented disclosure is committed in the
|
|
250
250
|
issuer-signed payload, and the issuer signature (EdDSA) if a key is supplied. It
|
|
251
251
|
does **not** verify a Key Binding JWT, an X.509 or trust-list chain, status
|
|
252
252
|
lists, or `vct` type metadata. **SD-JWT VC** (the credential-type profile) is
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|