verify.residua.cloud

Public, content-addressed, weighted-trust verifier for residua signed releases. For each release, the Worker fetches release_root.json from IPFS by its self-CID; for /verify it recomputes sha256 of every asset's gateway-served bytes and compares to the recorded value. No GitHub auth. No PAT. The cid_v1 is the content hash, so a gateway returning wrong bytes is caught here.

This is a weighted-trust check, not a verify. The trust root is the keyless cosign signature + Rekor inclusion of SHA256SUMS (proof_root step 1). Pinata is an availability provider, not a trust root. For end-to-end trust use cosign verify-blob + the residua-side checker in the repo.

Releases

• v0.4.0 → release_root bafkreid3o7uwwjkubwwqwslgdoxe4lzrgq7cguxni76cjkkg7sjwwmpdca
  /v0.4.0 · /v0.4.0/verify

API

• GET /healthz — liveness + configured release_root CIDs
• GET /list — JSON catalog of versions
• GET /v<ver> — release manifest (JSON), per-asset gateway URLs included
• GET /v<ver>/verify — recompute & compare (JSON); always HTTP 200, verdict in summary.ok + summary.residues[]
• All endpoints accept ?gateway=<url> to override the default IPFS gateway (the trust is in the CID, not the gateway).

Trust framing

WEIGHTED-TRUST check, not a verify: recomputes sha256 of each asset's gateway-served bytes vs the release_root.json recorded sha256. Pinata = availability provider, NOT a trust root. Trust root remains the keyless cosign signature + Rekor inclusion of SHA256SUMS (proof_root step 1); use `cosign verify-blob` + the residua-side checker for end-to-end trust.