For auditors and compliance officers
Verify a Cosignet approval yourself
For the integrity of an exported evidence pack, verification does not rely on trusting Cosignet's dashboard or database, and you do not need an account. Every approval comes with an evidence pack you can verify on your own machine, offline, using an open-source script. This page explains, in plain language, what is inside an evidence record and walks you through checking one end to end.
What a Cosignet evidence record contains
Each record is evidence that a specific enrolled approver credential approved a specific action. The real-world identity behind that credential depends on your enrollment and account-governance process. It contains:
| Element | Plain-language meaning |
|---|---|
| Approver credential | The public key of the passkey that approved. It identifies the credential that signed, and it cannot be used to impersonate anyone. |
| Payload hash | A SHA-256 fingerprint of the exact action (the amount, payee, command, whatever it was). If the action text changes by one character, this fingerprint changes. |
| WebAuthn signature | The cryptographic signature the approver's device produced over that fingerprint. This is what binds the person to the exact action. |
| Timestamp | When the approval was recorded. |
| Log inclusion proof | Evidence that this approval is included in Cosignet's append-only log under a published, signed tree head. It shows the record was not inserted or edited after the fact. |
| Bitcoin anchor (OpenTimestamps) | A trust-minimized timestamp proving the log state existed at a point in time, anchored in the Bitcoin blockchain. This is the one step that benefits from a network connection to check fully. |
Verify a sample, step by step
The verification is offline. The only step that reaches the network is the optional Bitcoin anchor check, and it is clearly separated below.
- Download the sample evidence pack.
cosignet-evidence-0fac28e5.zip.
It contains the decision record (
bundle.json), the tree-head public key, the Bitcoin anchor proof, an open-source verifier (Node and Python), and a README. - Unzip it into an empty folder. Every file is plain text or a small binary you can inspect. Nothing calls home.
- Run the verifier with Node (no dependencies to install):
node run_node.mjs - Read the result. A successful verification prints:
{ ok: true, sth_signature: 'verified' }ok: truemeans the passkey signature matches the exact payload and the record is included under the signed tree head.sth_signature: 'verified'means the tree head was signed by the published Ed25519 key. The script exits 0 only on success. - Prefer Python? Run
python3 run_python.py. The leaf and inclusion checks run on the standard library; the signature step uses thecryptographypackage, and the script tells you exactly what to install if it is missing, without failing silently.
The verifier is open source and vendor-independent: read the source. You are welcome to run your own copy instead of the bundled one, they are byte-identical.
The one online step: the Bitcoin anchor
The signature and log-inclusion checks are fully offline. To additionally confirm the
Bitcoin anchor, the OpenTimestamps proof (tree_head.ots) is checked against the
Bitcoin blockchain, which needs network access or a Bitcoin node. This step is optional and
additive: it strengthens the timestamp, it is not required for the signature and inclusion
proof to hold. The README in the pack describes it and keeps it clearly separated from the
offline steps.
What this does and does not prove
- It proves that the holder of a specific passkey approved a specific, exact action at a recorded time, and that the record has not been altered since.
- It does not prove the real-world identity behind the credential on its own. Identity binding (which named person or role holds the credential) is established by your own enrollment process. Cosignet records which credential signed; your onboarding records who holds it.
- It does not require trusting Cosignet. If Cosignet disappeared tomorrow, the packs you already exported would still verify.
For your program
- DORA: ICT traceability and incident evidence.
- PSD2 dynamic linking: the SCA pattern, generalized.
- SOC 2 and ISO/IEC 42001 control mappings.
- Evidence pack format specification.
Talk to us about an audit
If you are reviewing a customer that uses Cosignet, or evaluating it yourself, we are happy to walk through a verification live.
Informational, not legal advice. This page describes how to verify Cosignet evidence artifacts. It is not a legal opinion and does not certify your compliance. The evidence proves what is stated above and no more.