ClearKey

Cryptographic proof that compliance evidence hasn't been tampered with.

---

The Problem

Compliance audits rely on trust. You trust that the screenshot wasn't edited. You trust that the config export is current. You trust that evidence was collected when claimed.

But trust doesn't scale. And trust doesn't verify.

ClearKey eliminates trust from the equation.

Every piece of evidence gets a cryptographic fingerprint. That fingerprint gets anchored to a tamper-evident registry. Anyone can verify—offline, independently, without trusting VLI or anyone else.

The math either checks out, or it doesn't.

---

What ClearKey Does

ClearKey is an offline verification tool for the VLI Trust Protocol. It:

• Verifies signatures - Confirms evidence was signed by the claimed identity
• Validates structure - Ensures claims follow the canonical format
• Checks anchoring - Proves evidence existed at a specific point in time
• Traces dependencies - Shows what external systems were trusted during capture

No API calls. No accounts. No trust required.

┌─────────────────────────────────────────────────────────────┐
│                    VERIFICATION PATH                         │
│                                                              │
│  Evidence Bundle ──→ ClearKey ──→ ✓ VERIFIED                │
│        │                  │            or                    │
│        │                  │       ✗ FAILED (reason)         │
│        ▼                  ▼                                  │
│   [claim.json]      [Offline checks]                        │
│   [proof.json]      - Signature valid?                      │
│   [sth.json]        - Hash matches?                         │
│                     - Proof verifies?                       │
│                     - Timestamp consistent?                 │
└─────────────────────────────────────────────────────────────┘

---

Quick Start

Install

# Clone and build
git clone https://github.com/VerifyLinkInfra-cloud/clearkey.git
cd clearkey
go build -o clearkey ./cmd/clearkey

# Or install directly
go install github.com/VerifyLinkInfra-cloud/clearkey/cmd/clearkey@latest

Verify a Claim

# Basic verification (signature + structure)
clearkey verify claim.json

# Full verification with registry anchoring
clearkey verify claim.json --proof proof.json --sth sth.json

Validate Structure

# Check structure and compute digests (no signature check)
clearkey validate claim.json

---

How Verification Works

ClearKey performs 7 verification steps, each of which must pass:

Step	Check	What It Proves
1	Structure	Claim has all required fields
2	Canonicalization	Claim is in RFC 8785 canonical JSON
3	Evidence Hash	Evidence content matches claimed hash
4	Signature	Ed25519 signature is valid
5	Trust Dependencies	External trust points are disclosed
6	Inclusion Proof	Claim exists in the registry Merkle tree
7	Temporal Consistency	Timestamps are internally consistent

Any failure stops verification and reports the specific issue.

---

For Auditors

ClearKey gives you mathematical certainty instead of screenshots and promises.

# Audit an evidence bundle
clearkey verify evidence-bundle/ --recursive

# Generate verification report
clearkey verify evidence-bundle/ --format json > audit-report.json

What you can prove:

• Evidence was created by a specific identity (signature)
• Evidence existed at a specific time (registry anchoring)
• Evidence hasn't been modified since capture (hash integrity)
• All external dependencies are disclosed (trust transparency)

What you still need to assess:

• Whether the evidence is relevant to your control
• Whether the evidence satisfies your requirements
• Whether the trust dependencies are acceptable

ClearKey proves authenticity. You assess adequacy.

---

For Engineers

ClearKey is designed to be integrated, not installed.

import "github.com/VerifyLinkInfra-cloud/clearkey/bundle"

// Verify a bundle programmatically
result, err := bundle.Verify(claimBytes, proofBytes, sthBytes)
if err != nil {
    // Verification failed
    log.Fatal(result.Reason)
}
// result.Valid == true

Package Structure

clearkey/
├── bundle/           # Core bundle verification
├── registryinterop/  # Registry proof verification
├── frameworks/       # Compliance framework mappings (SOC2, etc.)
├── aws_snapshot/     # AWS evidence collection
├── cmd/clearkey/     # CLI tool
└── internal/         # Internal utilities

---

What ClearKey Is NOT

Not a storage system. ClearKey verifies evidence. It doesn't store it.

Not a SaaS product. ClearKey is a local tool. It makes no network calls during verification.

Not a certificate authority. ClearKey verifies signatures. It doesn't issue keys or manage identity.

Not magic. ClearKey proves evidence integrity. It doesn't prove the evidence is true—only that it hasn't been tampered with since capture.

---

Security Design

ClearKey follows strict security principles:

1. Offline verification - No network calls during verification
2. Zero trust in input - All inputs treated as potentially malicious
3. Fail closed - Any ambiguity results in verification failure
4. Deterministic - Same inputs always produce same outputs
5. Minimal dependencies - Smaller attack surface

See SECURITY.md for vulnerability reporting.

---

Commands Reference

clearkey version

Display version and build information.

clearkey validate <file>

Validate claim structure and compute digests.

clearkey verify <file> [--proof <proof>] [--sth <sth>]

Full offline verification with optional registry anchoring.

Exit Codes

• 0 - Verification passed
• 1 - Verification failed or error

---

License

Apache License 2.0 - See LICENSE

---

Contributing

See CONTRIBUTING.md for guidelines.

---

Why "ClearKey"?

Because trust should be transparent. Every verification step is visible. Every dependency is disclosed. Every proof is independently verifiable.

Clear verification. Key to trust.

---

ClearKey is part of the VLI Trust Protocol—open infrastructure for verifiable compliance.