#!/usr/bin/env bash # verify-attestation.sh — verify a PropRaven Data Quality Attestation # offline using only curl, jq, openssl, and shasum (all macOS/Linux defaults). # # Usage: # curl -sL https://propraven.com/audit/verify-attestation.sh | bash # # Or download and inspect first: # curl -O https://propraven.com/audit/verify-attestation.sh # bash verify-attestation.sh # # Exits 0 on PASS, 1 on any FAIL. set -euo pipefail BASE="${PROPRAVEN_BASE:-https://propraven.com}" TMP=$(mktemp -d) trap 'rm -rf "$TMP"' EXIT echo "PropRaven Attestation Verifier" echo "Base: $BASE" echo "Tmp: $TMP" echo "" echo "1/4 Fetching artifacts..." curl -sLo "$TMP/sample.pdf" "$BASE/audit/sample.pdf" curl -sLo "$TMP/sample.json" "$BASE/audit/sample.json" curl -sLo "$TMP/pubkey.b64" "$BASE/audit/attestation-public-key.b64" PDF_BYTES=$(wc -c < "$TMP/sample.pdf" | tr -d ' ') echo " sample.pdf: $PDF_BYTES bytes" echo " sample.json: $(wc -c < "$TMP/sample.json" | tr -d ' ') bytes" echo " pubkey.b64: $(wc -c < "$TMP/pubkey.b64" | tr -d ' ') bytes" echo "" echo "2/4 Computing SHA-256 of PDF..." ACTUAL=$(shasum -a 256 "$TMP/sample.pdf" | awk '{print $1}') EXPECTED=$(jq -r '.content_hash_sha256' "$TMP/sample.json") EXPECTED_BYTES=$(jq -r '.content_bytes' "$TMP/sample.json") echo " actual: $ACTUAL" echo " expected: $EXPECTED" if [ "$ACTUAL" != "$EXPECTED" ]; then echo "" echo "❌ FAIL — content_hash_sha256 mismatch. PDF has been altered." exit 1 fi if [ "$PDF_BYTES" != "$EXPECTED_BYTES" ]; then echo "" echo "❌ FAIL — content_bytes mismatch (got $PDF_BYTES, expected $EXPECTED_BYTES)." exit 1 fi echo " ✓ hash + byte count match" echo "" echo "3/4 Verifying Ed25519 signature..." # Pubkey is raw 32 bytes Ed25519, base64-encoded. openssl needs DER. # DER prefix for Ed25519 SubjectPublicKeyInfo is 12 bytes: 30 2A 30 05 06 03 2B 65 70 03 21 00 { printf '\x30\x2a\x30\x05\x06\x03\x2b\x65\x70\x03\x21\x00' base64 -d < "$TMP/pubkey.b64" } > "$TMP/pubkey.der" openssl pkey -pubin -inform DER -in "$TMP/pubkey.der" -out "$TMP/pubkey.pem" 2>/dev/null # Reconstruct the canonical message that was signed. jq -r '.signature_message_canonical' "$TMP/sample.json" | base64 -d > "$TMP/message.bin" jq -r '.signature_ed25519' "$TMP/sample.json" | base64 -d > "$TMP/sig.bin" if openssl pkeyutl -verify -pubin -inkey "$TMP/pubkey.pem" \ -rawin -in "$TMP/message.bin" -sigfile "$TMP/sig.bin" \ >/dev/null 2>&1; then echo " ✓ signature verifies against published public key" else echo "" echo "❌ FAIL — Ed25519 signature did NOT verify." exit 1 fi echo "" echo "4/4 Summary..." QUARTER=$(jq -r '.quarter' "$TMP/sample.json") COUNTY=$(jq -r '.county_name' "$TMP/sample.json") RUN_ID=$(jq -r '.audit_run_id' "$TMP/sample.json") GENERATED=$(jq -r '.generated_at' "$TMP/sample.json") echo " Document: PropRaven $COUNTY Quality Attestation, $QUARTER" echo " Audit run: $RUN_ID" echo " Generated: $GENERATED" echo "" echo "✅ PASS — this attestation is authentic and unaltered."