Trust & Evidence · Verification keys
The keys that sign our register
Our post-quantum coverage register is signed with ML-DSA-65 (NIST FIPS 204). These are the public verification keys. Pin the fingerprint below across at least two of the independent surfaces before trusting a signature.
Offline root
Register signing root
- Algorithm
- ML-DSA-65
- Key id
- heossi-register-root-001
- Role
- offline-root (held outside CI and the production credential plane)
- Register version
- v0.9.9
Public-key fingerprint (SHA-384)
sha384:28c12b58eb4b092b1252b13d04138a5af233a4516c8590296325e9ae3a79b33b9e7a95e642f5eb8f50c294f907a87f50
Pin the fingerprint here
A verifier confirms the key fingerprint against at least two independent surfaces before trusting a signature. Key rotation publishes a rotation attestation signed by the outgoing root.
QNSI audit ledger
The fingerprint is anchored in the tamper-evident QNSI audit ledger at the key ceremony.
Public source mirror
github.com/heossihq — the register, envelope, and this key are committed and mirrored.
The rendered register
The signature envelope (which carries this fingerprint) ships alongside the register itself.
Verify a register signature
- Download the public key above and confirm its fingerprint on two surfaces.
- Canonicalise the register JSON (UTF-8, sorted keys, compact separators) and hash it with SHA-384 — it must equal the envelope’s register hash.
- Verify the ML-DSA-65 signature over that hash against this public key with any FIPS 204 tool.
The full register, coverage matrix, and envelope are at /trust.