rfgen.manifest_verification

rfgen.manifest_verification verifies an already-published run manifest without authority to publish, mutate objects, sign, or write provenance. It is a sealed orchestration boundary: callers supply narrow read-only capabilities for repository reads, object reads, optional fresh-process reproduction, and optional persisted DSSE-bundle reads.

ManifestVerifier

ManifestVerifier

class ManifestVerifier:
    def __init__(
        self,
        repository: ManifestRepositoryReader,
        *,
        object_reader: ManifestObjectReader | None = None,
        reproduction: ReproductionCapability | None = None,
        provenance_bundles: ManifestProvenanceBundleReader | None = None,
        provenance_adapter: SigstoreDSSEAdapter | None = None,
        provenance_identity: str | None = None,
        provenance_issuer: str | None = None,
    ) -> None

    def verify(
        self,
        revision: str,
        *,
        mode: VerificationMode,
        deadline: datetime | None = None,
    ) -> VerificationReportV1

The repository is always read first and must return a validated RunManifestV1. revision is the expected manifest SHA-256; an unavailable manifest and a self-hash mismatch become report failures rather than write-side repair actions. mode must be a VerificationMode, not a string. deadline, when supplied, must be UTC and is forwarded unchanged to the reproduction capability.

Partial signed-provenance inputs and a non-UTC deadline raise ValueError; a plain string or other non-enum mode raises TypeError. Those are caller contract errors. In contrast, repository, object-read, reproduction, bundle, or DSSE-verification runtime failures are retained in the returned report as typed FAIL rows with a diagnostic code; they are not propagated and never trigger repair or mutation.

Mode

Checks

Capability failure

METADATA

Manifest schema and self-hash; object rows are SKIP / CAPABILITY_NOT_REQUESTED

None required

CHECKSUMS

Metadata plus presence and SHA-256 for every declared object

Missing object reader is FAIL / CAPABILITY_UNAVAILABLE

REPRODUCE

Checksums plus bounded output recreation

Missing reproduction capability is FAIL / CAPABILITY_UNAVAILABLE

For checksums, every object is read in 8 MiB chunks and all failures are reported. For reproduction, the verifier deterministically selects the 32 smallest sha256(run_id || sample_id) values, passes that tuple in selected order, and rejects duplicated, missing, extra, reordered, or non-fresh results. Integer IQ must compare exactly. Floating IQ passes only when both maximum absolute and relative-RMS error are at most 1e-6. Metadata, configuration, assets, plugins, and sample IDs compare exactly.

Optional signed provenance is an all-or-none constructor capability. The verifier loads the existing bundle for revision, verifies it through SigstoreDSSEAdapter with a RUN_MANIFEST_V1 policy bound to run-manifest.json and this revision, and requires the verified predicate to equal the loaded manifest. It never signs or persists a statement or bundle.

Capability protocols

ManifestRepositoryReader

Read-only protocol: get(revision: str) -> RunManifestV1.

ManifestObjectReader

Read-only protocol: open(key: str) -> BinaryIO.

ReproductionCapability

sample_ids(manifest) returns candidate IDs. reproduce(manifest, sample_ids, *, deadline) returns exactly one ReproductionResultV1 per selected ID in the supplied order. Its result supplies fresh_process=True as the fresh-runtime evidence that the verifier requires; absent, false, or malformed evidence fails closed.

ReproductionResultV1

Protocol fields are sample_id, fresh_process, exact-integer-IQ or floating error measurements, and exact metadata/config/assets/plugins/sample-ID comparison booleans. integer_iq_equal=True is the only integer-IQ pass. When it is None, both floating_max_abs and floating_relative_rms must be present and at most 1e-6; otherwise IQ fails. fresh_process and each of the five comparison fields must be boolean. A missing required field becomes fail-closed RESULT_MALFORMED report rows; a present but false fresh_process specifically reports FRESH_PROCESS_REQUIRED. It is a result interface rather than a persisted schema.

ManifestProvenanceBundleReader

Read-only protocol: load(revision: str) -> Bundle for an already-persisted DSSE bundle.

Output

verify() returns VerificationReportV1. Its rows are sorted by (scope, key, code), its counts must match those rows, and its overall status passes only when no requested check failed. Unrequested work is explicitly SKIP; requested but unavailable capability is a failure.

See Also

  • Manifest: canonical payload, report schemas, and repository.

  • Determinism: provenance and comparison rules.

  • Attestation: the closed DSSE verification boundary.