Skip to main content

What runtime verification checks

Every attestation contains runtimeVersion and runtimeHash — the identity of the runtime that produced the decision. Runtime verification confirms:
  1. The runtime’s self-reported version and hash match the release manifest
  2. The release manifest is signed by a trusted key
  3. The runtime capabilities are compatible with the attestation’s schema version

Using verifyRuntime from @parmanasystems/core

import {
  verifyRuntime,
  LocalVerifier,
} from "@parmanasystems/core";
import fs from "node:fs";

const publicKey = fs.readFileSync("trust/root.pub", "utf8");
const verifier  = new LocalVerifier(publicKey);

const manifest = JSON.parse(
  fs.readFileSync("artifacts/release-manifest.json", "utf8")
);

const result = verifyRuntime(manifest, verifier);

console.log(result.valid);        // true
console.log(result.runtimeHash);  // "sha256:..."
console.log(result.version);      // "1.0.0"

Using verifyRuntimeCompatibility

Checks that a runtime manifest is compatible with a given set of schema requirements: 
import { verifyRuntimeCompatibility } from "@parmanasystems/core";

const result = verifyRuntimeCompatibility(manifest, {
  supportedRuntimeVersions: ["1.0.0"],
  supportedSchemaVersions:  ["1.0.0"],
});

console.log(result.compatible); // true

Via the REST API

The /runtime/manifest endpoint returns the running runtime’s manifest: 
curl http://localhost:3000/runtime/manifest | jq .

{
  "version": "1.0.0",
  "runtimeHash": "sha256:c9d4e5f...",
  "capabilities": ["execute", "verify", "audit"],
  "supportedSchemaVersions": ["1.0.0"],
  "startedAt": "2024-01-15T10:00:00.000Z"
}
Cross-reference the runtimeHash in this response with the runtimeHash embedded in attestations produced by this runtime. They must match.

Checking an attestation against the runtime

When you receive an attestation, verify that its runtimeVersion and runtimeHash match a runtime you trust: 
const attestation = await client.execute({ ... });
const manifest    = await client.runtimeManifest();

if (attestation.runtimeHash !== manifest.runtimeHash) {
  throw new Error(
    "Attestation runtimeHash does not match the current runtime. " +
    "The attestation may have been produced by a different runtime version."
  );
}

Expected result

A successful verifyRuntime call returns: 
{
  valid: true,
  runtimeHash: "sha256:c9d4e5f...",
  version: "1.0.0"
}
A failed call returns valid: false with a reason indicating which check failed.

Troubleshooting

verifyRuntime returns valid: false — The release manifest signature does not verify against the public key, or the manifest has been tampered with. Do not trust attestations from this runtime until the issue is resolved. runtimeHash in attestation differs from /runtime/manifest — The attestation was produced by a different runtime version than the one currently running. This is expected when the runtime is updated. For historical attestation verification, use the runtimeHash from the attestation itself — not the current runtime’s hash. Verify the historical runtime’s hash against the release manifest from that version. verifyRuntimeCompatibility returns compatible: false — The runtime version or schema version does not appear in the supported* lists. The attestation may have been produced by a newer or older runtime than the one performing verification.