Skip to content

Releases: b7n0de/proofbundle

2.0.0b1 — TEE-attestation bridge (experimental preview)

Choose a tag to compare

@github-actions github-actions released this 03 Jul 06:45

Warning

Research preview — not the recommended install. The stable v1.x line is the product;
pip install proofbundle will never pull this pre-release (PEP 440). This beta exists to
be reviewed, not to be trusted. Install only via:
pip install --pre "proofbundle[experimental]"

What this preview explores

Offline verification of TEE attestation results (proofbundle.experimental.enclave):
following the IETF RATS Passport model (RFC 9334),
a Verifier appraises raw TEE evidence out of band and signs an EAT
(RFC 9711); proofbundle verifies that token
offline and checks it is cryptographically bound to a specific receipt
(eat_nonce == enclave_binding_for(receipt)). CLI: proofbundle verify-enclave.

Note

Honest scope: proofbundle does not parse or appraise raw hardware evidence — that is
the Verifier's role. It verifies the Verifier's signed result and the receipt binding.
It does not prove the enclave is genuine, and never will claim to.

Deliberately hard to misuse

  • Lives under proofbundle.experimentalnot re-exported from the top-level package
  • Emits an ExperimentalWarning on import; the stable v1 core imports none of it
  • Doubly gated: pre-release channel and [experimental] extra
  • Promotion to 2.0.0 only after the preview stabilises and, ideally, an external audit
Verification discipline

320 tests (303 v1.9.1 base + 16 enclave + 1 EAT fuzz case) — including an adversarial red
matrix: wrong verifier key, cross-receipt binding, alg=none, typ confusion, profile
mismatch, claim tamper, garbage input. Mutation gate: 31 operators, all killed.
No wire-format or behavior change to any v1 path.

Docs: EXPERIMENTAL_ENCLAVE.md ·
example

Full Changelog: v1.9.1...v2.0.0b1

v1.9.1 — status-list trust-anchor separation

Choose a tag to compare

@github-actions github-actions released this 02 Jul 21:56

Important

AI eval results need receipts. A receipt proves who signed these exact bytes and
that nothing changed since — never that the number is true. That boundary is the product.

The 60-second proof

$ pip install "proofbundle[eval]"
$ proofbundle demo
[PASS] ed25519-signature: payload signed by stated key
[PASS] merkle-inclusion: anchored under the stated root
=> OK
# then six independent tampers — every single one must fail:
=> FAILED (exit 1)  ✓ caught

The demo exits non-zero if any tamper slips through — it doubles as a self-test.
(→ ersetze diesen Block durch deinen echten proofbundle demo-Output, gekürzt)

What's new in 1.9.1

  • Status-list trust-anchor separationverify_status_snapshot now takes an optional
    receipt_issuer_pubkey and reports self_issued=True when a status list is signed by the
    same key as the receipt: an issuer attesting its own "still valid" state carries no
    independent revocation assurance. Reported, not fatal — the relying party decides.
  • docs/GLOSSARY.md — proofbundle in plain terms, for readers without a crypto background.
  • make coverage target. No wire-format or verify-behavior change for existing callers.

Verify this release — don't trust us, check

Both artifacts were built once on GitHub Actions, attested, and are byte-identical to
PyPI:

$ sha256sum -c SHA256SUMS
proofbundle-1.9.1-py3-none-any.whl: OK
proofbundle-1.9.1.tar.gz: OK

$ gh attestation verify proofbundle-1.9.1-py3-none-any.whl --repo b7n0de/proofbundle
✓ Verification succeeded!

PyPI independently recorded PEP 740 attestations for both files — public, in the Sigstore
transparency log: wheel → log entry 2049473856 ·
sdist → log entry 2049473793.

Quality gates behind this release
  • 303 tests · CI mutation gate (30 operators — every mutant must be killed) ·
    property-based parser fuzzing (Hypothesis)
  • Correctness anchored to external RFC 6962 test vectors and a real Sigstore Rekor
    proof
    — not just our own bundles
  • Python 3.10+ · single runtime dependency: cryptography ·
    the verify path never rolls its own crypto

Start here: SPEC ·
THREAT_MODEL ·
30-minute adversarial review path ·
FAQ for skeptics

Full Changelog: v1.9.0...v1.9.1

v1.9.0

Choose a tag to compare

@github-actions github-actions released this 02 Jul 20:47

Full Changelog: v1.7.0...v1.9.0

v1.8.0

Choose a tag to compare

@github-actions github-actions released this 02 Jul 17:43

Full Changelog: v1.7.0...v1.8.0

v1.7.0

Choose a tag to compare

@github-actions github-actions released this 02 Jul 16:49

Full Changelog: v1.4.0...v1.7.0

v1.4.0

Choose a tag to compare

@github-actions github-actions released this 02 Jul 14:23

Full Changelog: v1.3.0...v1.4.0

v1.3.0

Choose a tag to compare

@github-actions github-actions released this 02 Jul 12:47

Full Changelog: v1.1.0...v1.3.0

v1.2.0

Choose a tag to compare

@github-actions github-actions released this 02 Jul 11:48

Full Changelog: v1.1.0...v1.2.0

v1.1.0

Choose a tag to compare

@github-actions github-actions released this 02 Jul 01:25

Full Changelog: v1.0.0...v1.1.0

v1.0.0

Choose a tag to compare

@github-actions github-actions released this 02 Jul 00:26

Full Changelog: v0.9.0...v1.0.0