CCOSIGNET

For auditors and compliance officers

Verify a Cosignet approval yourself

For the integrity of an exported evidence pack, verification does not rely on trusting Cosignet's dashboard or database, and you do not need an account. Every approval comes with an evidence pack you can verify on your own machine, offline, using an open-source script. This page explains, in plain language, what is inside an evidence record and walks you through checking one end to end.

What a Cosignet evidence record contains

Each record is evidence that a specific enrolled approver credential approved a specific action. The real-world identity behind that credential depends on your enrollment and account-governance process. It contains:

Verify a sample, step by step

The verification is offline. The only step that reaches the network is the optional Bitcoin anchor check, and it is clearly separated below.

  1. Download the sample evidence pack. cosignet-evidence-0fac28e5.zip. It contains the decision record (bundle.json), the tree-head public key, the Bitcoin anchor proof, an open-source verifier (Node and Python), and a README.
  2. Unzip it into an empty folder. Every file is plain text or a small binary you can inspect. Nothing calls home.
  3. Run the verifier with Node (no dependencies to install):
    node run_node.mjs
  4. Read the result. A successful verification prints:
    { ok: true, sth_signature: 'verified' }
    ok: true means the passkey signature matches the exact payload and the record is included under the signed tree head. sth_signature: 'verified' means the tree head was signed by the published Ed25519 key. The script exits 0 only on success.
  5. Prefer Python? Run python3 run_python.py. The leaf and inclusion checks run on the standard library; the signature step uses the cryptography package, and the script tells you exactly what to install if it is missing, without failing silently.

The verifier is open source and vendor-independent: read the source. You are welcome to run your own copy instead of the bundled one, they are byte-identical.

The one online step: the Bitcoin anchor

The signature and log-inclusion checks are fully offline. To additionally confirm the Bitcoin anchor, the OpenTimestamps proof (tree_head.ots) is checked against the Bitcoin blockchain, which needs network access or a Bitcoin node. This step is optional and additive: it strengthens the timestamp, it is not required for the signature and inclusion proof to hold. The README in the pack describes it and keeps it clearly separated from the offline steps.

What this does and does not prove

For your program

Talk to us about an audit

If you are reviewing a customer that uses Cosignet, or evaluating it yourself, we are happy to walk through a verification live.

Informational, not legal advice. This page describes how to verify Cosignet evidence artifacts. It is not a legal opinion and does not certify your compliance. The evidence proves what is stated above and no more.