Metadata-Version: 2.4
Name: holisticquality-verify-manifest
Version: 0.1.0
Summary: Independent, zero-dependency verifier for Holistic Quality / NOMOS signed manifests.
Author: Holistic Quality LLC
License: Apache-2.0
Project-URL: How-to, https://holisticquality.io/regulator-verify-manifest
Project-URL: Bill of Rights, https://holisticquality.io/regulator-bill-of-rights
Project-URL: Homepage, https://holisticquality.io/
Keywords: nomos,manifest,verification,gpg,provenance,regulator-tier,holisticquality
Classifier: Development Status :: 4 - Beta
Classifier: Intended Audience :: Legal Industry
Classifier: Intended Audience :: Science/Research
Classifier: License :: OSI Approved :: Apache Software License
Classifier: Operating System :: OS Independent
Classifier: Programming Language :: Python :: 3
Classifier: Programming Language :: Python :: 3.9
Classifier: Programming Language :: Python :: 3.10
Classifier: Programming Language :: Python :: 3.11
Classifier: Programming Language :: Python :: 3.12
Classifier: Topic :: Security :: Cryptography
Requires-Python: >=3.9
Description-Content-Type: text/markdown
License-File: LICENSE
Provides-Extra: test
Requires-Dist: pytest>=7.0; extra == "test"
Dynamic: license-file

# holisticquality-verify-manifest

Independent, **zero-dependency** verifier for Holistic Quality / NOMOS signed
manifests — corpus manifests and published research artifacts (e.g. the
[PM & Alzheimer's evidence synthesis](https://holisticquality.io/research/particulate-matter-and-alzheimers)).

It lets anyone confirm, on their own machine and **without trusting Holistic
Quality's infrastructure**, that a published artifact is exactly what was
signed, by the named parties, unmodified. This operationalizes
[Regulator Bill of Rights, Article IX (Falsifiability)](https://holisticquality.io/regulator-bill-of-rights).

## Install

```bash
pip install holisticquality-verify-manifest
```

Requires Python ≥ 3.9 and the system **`gpg`** binary (GnuPG). No Python
dependencies; no network access.

## Use

```bash
verify-manifest \
  --manifest path/to/manifest.json \
  --bundle   path/to/signatures/v0.sig.json
```

First import the signers' public keys into your GPG keyring (the manifest
publisher provides them), then run the command above.

### Exit codes

| Code | Meaning |
|------|---------|
| `0`  | PASS — canonical hash matches, every signature verified, two-person rule satisfied |
| `1`  | FAIL — general (hash mismatch, multiple causes, or two-person rule violation) |
| `2`  | FAIL — manifest or signature-bundle file not found |
| `3`  | FAIL — signature verification failed and was the sole cause |

Useful flags: `--verbose` (per-signature detail), `--json` (machine-readable
result), `--gpg-homedir` (use an isolated keyring).

## What it checks

1. **Canonical-hash recompute** — re-derives the SHA-256 of the manifest's
   canonical-JSON form (signatures excluded) and compares it to the hash inside
   the signature bundle. Detects any post-signing tampering.
2. **GPG signature verification** — each detached, ASCII-armored signature in
   the bundle is verified against the canonical-hash bytes.
3. **Two-person rule** — at least two *distinct* verified GPG fingerprints
   (disable with `--no-two-person` for diagnostics only).

## Trust & provenance

This package is **vendor-minimal**: it contains only the verification path, so
the whole thing is auditable in minutes. Its modules are faithful, behavior-
preserving copies of the in-repository verifier; a golden-fixture test
(`tests/test_golden.py`) enforces that a manifest signed by the canonical NOMOS
signer verifies here — behavioral identity, checked, not asserted.

How-to with a worked example: <https://holisticquality.io/regulator-verify-manifest>

## License

Apache-2.0 © Holistic Quality LLC
