Verify & Trust Basics¶
Everything you need to know about verification, on one screen.
Verify a commit¶
Verify a file¶
auths sign release.tar.gz # creates release.tar.gz.auths.json
auths verify release.tar.gz # finds the .auths.json sidecar automatically
Who do you trust?¶
A signature being mathematically valid is only half the answer — the verifier also decides whether the identity behind it is trusted. Three sources, in plain terms:
- Yourself. Your own identity is always trusted on your own machine. Everything you sign verifies with zero setup.
- The repo's trust file.
.auths/rootsis a committed file listing trusted root identities, one per line. Your first signed commit adds your own root automatically; teammates inherit the file by cloning. Review changes to it like code — a new line is a trust grant. - Anyone you pin.
auths trust pin --did did:keri:E...trusts an identity for all your local verifications (the key resolves from their event log or a shared bundle — you never handle raw key bytes).
A valid signature from an identity in none of these fails verification with "root is not a pinned trusted root" — valid math, unknown signer.
Exit codes (for scripts and CI)¶
| Code | Meaning |
|---|---|
0 |
Verified |
1 |
Verification failed (bad signature, missing trailers, untrusted signer) |
2 |
Could not attempt (I/O error, malformed input, missing repository) |
When verification fails¶
- "Commit carries no Auths-Id/Auths-Device trailer" — the commit predates your
auths setup, or this repo's own hook configuration bypasses the auths commit hook.
Run
auths doctorto check; backfill old commits withauths sign <ref>(rewrites the commit — don't do it to pushed history). - "Root … is not a pinned trusted root" — you don't trust the signer yet. Pin
them (
auths trust pin --did <did>) or add their DID to the repo's.auths/roots. - "Signed by a superseded device key" — the commit predates a key rotation. The
verifier recognized the old key as legitimately rotated away (not a forgery); if
policy requires green, re-sign history with
auths sign <ref>(rewrites SHAs). - Anything else:
auths doctordiagnoses the common environment problems and prints a fix for each.
Going deeper¶
- Verifying Commits — ranges, history audits, CI gates, identity bundles
- Trust Model — the cryptography behind the trust decisions
- Team Workflows — trust across a team