Releases: b7n0de/proofbundle
Release list
2.0.0b1 — TEE-attestation bridge (experimental preview)
Warning
Research preview — not the recommended install. The stable v1.x line is the product;
pip install proofbundle will never pull this pre-release (PEP 440). This beta exists to
be reviewed, not to be trusted. Install only via:
pip install --pre "proofbundle[experimental]"
What this preview explores
Offline verification of TEE attestation results (proofbundle.experimental.enclave):
following the IETF RATS Passport model (RFC 9334),
a Verifier appraises raw TEE evidence out of band and signs an EAT
(RFC 9711); proofbundle verifies that token
offline and checks it is cryptographically bound to a specific receipt
(eat_nonce == enclave_binding_for(receipt)). CLI: proofbundle verify-enclave.
Note
Honest scope: proofbundle does not parse or appraise raw hardware evidence — that is
the Verifier's role. It verifies the Verifier's signed result and the receipt binding.
It does not prove the enclave is genuine, and never will claim to.
Deliberately hard to misuse
- Lives under
proofbundle.experimental— not re-exported from the top-level package - Emits an
ExperimentalWarningon import; the stable v1 core imports none of it - Doubly gated: pre-release channel and
[experimental]extra - Promotion to 2.0.0 only after the preview stabilises and, ideally, an external audit
Verification discipline
320 tests (303 v1.9.1 base + 16 enclave + 1 EAT fuzz case) — including an adversarial red
matrix: wrong verifier key, cross-receipt binding, alg=none, typ confusion, profile
mismatch, claim tamper, garbage input. Mutation gate: 31 operators, all killed.
No wire-format or behavior change to any v1 path.
Docs: EXPERIMENTAL_ENCLAVE.md ·
example
Full Changelog: v1.9.1...v2.0.0b1
v1.9.1 — status-list trust-anchor separation
Important
AI eval results need receipts. A receipt proves who signed these exact bytes and
that nothing changed since — never that the number is true. That boundary is the product.
The 60-second proof
$ pip install "proofbundle[eval]"
$ proofbundle demo
[PASS] ed25519-signature: payload signed by stated key
[PASS] merkle-inclusion: anchored under the stated root
=> OK
# then six independent tampers — every single one must fail:
=> FAILED (exit 1) ✓ caughtThe demo exits non-zero if any tamper slips through — it doubles as a self-test.
(→ ersetze diesen Block durch deinen echten proofbundle demo-Output, gekürzt)
What's new in 1.9.1
- Status-list trust-anchor separation —
verify_status_snapshotnow takes an optional
receipt_issuer_pubkeyand reportsself_issued=Truewhen a status list is signed by the
same key as the receipt: an issuer attesting its own "still valid" state carries no
independent revocation assurance. Reported, not fatal — the relying party decides. - docs/GLOSSARY.md — proofbundle in plain terms, for readers without a crypto background.
make coveragetarget. No wire-format or verify-behavior change for existing callers.
Verify this release — don't trust us, check
Both artifacts were built once on GitHub Actions, attested, and are byte-identical to
PyPI:
$ sha256sum -c SHA256SUMS
proofbundle-1.9.1-py3-none-any.whl: OK
proofbundle-1.9.1.tar.gz: OK
$ gh attestation verify proofbundle-1.9.1-py3-none-any.whl --repo b7n0de/proofbundle
✓ Verification succeeded!PyPI independently recorded PEP 740 attestations for both files — public, in the Sigstore
transparency log: wheel → log entry 2049473856 ·
sdist → log entry 2049473793.
Quality gates behind this release
- 303 tests · CI mutation gate (30 operators — every mutant must be killed) ·
property-based parser fuzzing (Hypothesis) - Correctness anchored to external RFC 6962 test vectors and a real Sigstore Rekor
proof — not just our own bundles - Python 3.10+ · single runtime dependency:
cryptography·
the verify path never rolls its own crypto
Start here: SPEC ·
THREAT_MODEL ·
30-minute adversarial review path ·
FAQ for skeptics
Full Changelog: v1.9.0...v1.9.1