Skip to content

Trust & Evidence · Verification keys

The keys that sign our register

Our post-quantum coverage register is signed with ML-DSA-65 (NIST FIPS 204). These are the public verification keys. Pin the fingerprint below across at least two of the independent surfaces before trusting a signature.

Offline root

Register signing root

production
Algorithm
ML-DSA-65
Key id
heossi-register-root-001
Role
offline-root (held outside CI and the production credential plane)
Register version
v0.9.9

Public-key fingerprint (SHA-384)

sha384:28c12b58eb4b092b1252b13d04138a5af233a4516c8590296325e9ae3a79b33b9e7a95e642f5eb8f50c294f907a87f50

Pin the fingerprint here

A verifier confirms the key fingerprint against at least two independent surfaces before trusting a signature. Key rotation publishes a rotation attestation signed by the outgoing root.

QNSI audit ledger

The fingerprint is anchored in the tamper-evident QNSI audit ledger at the key ceremony.

Public source mirror

github.com/heossihq — the register, envelope, and this key are committed and mirrored.

The rendered register

The signature envelope (which carries this fingerprint) ships alongside the register itself.

Verify a register signature

  1. Download the public key above and confirm its fingerprint on two surfaces.
  2. Canonicalise the register JSON (UTF-8, sorted keys, compact separators) and hash it with SHA-384 — it must equal the envelope’s register hash.
  3. Verify the ML-DSA-65 signature over that hash against this public key with any FIPS 204 tool.

The full register, coverage matrix, and envelope are at /trust.