1. Content hash
Computes SHA-256 of the file on disk. Compares against receipt.payload.content_hash.value. If they match: the file has not been modified since the record was sealed.
CLI — Offline ERF verifier
Verify records locally. No network. No trust assumptions.
The Vraimony CLI is a Python script that verifies two things about any sealed ERF record: the SHA-256 content hash matches the file, and the ed25519 server signature is valid. Runs entirely offline. No network calls required.
Python 3.7+
Offline-first
SHA-256 + ed25519
No network calls
SHA-256: dbfcde8e2ceff5692be1cf1051e7b3e205ea9498f70fd121a187ff29029e3c89
What it verifies
Two checks. Both required for a trusted record.
2. Server signature
Verifies the ed25519 signature in receipt.signature using the embedded public key. If valid: the receipt was produced by the Vraimony server and has not been tampered with.
Usage
One command. Two results.
# Basic verification
python3 vraimony_verify.py --file document.pdf --receipt receipt.json
# Verify timestamp anchor commitment (independent of Vraimony servers)
python3 vraimony_verify.py --file document.pdf --receipt receipt.json --verify-anchor
# Show evidence_degree report per item
python3 vraimony_verify.py --file document.pdf --receipt receipt.json --verbose
# Output — success:
Vraimony v4.5.6.1 — Offline verification
Receipt ID: 3fa85f64-5717-4562-b3fc-2c963f66afa6
Seal code: L2_STANDARD
Hash match: YES
Signature: VALID
# Output — tampered file:
Vraimony v4.5.6.1 — Offline verification
Receipt ID: 3fa85f64-5717-4562-b3fc-2c963f66afa6
Hash match: NO
Signature: INVALID
# Exit code 1
Exit codes: 0 = both checks pass. 1 = one or more checks fail. 2 = invalid receipt format.
Install
Python 3.7+ with one dependency.
# Install dependency
pip install cryptography
# Extract ZIP and run
unzip vraimony-cli.zip
python3 vraimony_verify.py --file your_file.pdf --receipt receipt.json
The script uses only Python standard library + cryptography package. No other dependencies. No network calls at runtime.
--verify-anchor — independent timestamp verification
Verify the timestamp commitment without any server calls.
The --verify-anchor flag recomputes the timestamp anchor commitment from the receipt fields and checks it matches timestamp_anchor.commitment_hex. This is the third verification layer — independent of both the file hash and the signature.
# What --verify-anchor checks:
# SHA256(content_hash + "|" + created_at + "|" + receipt_id)
# Must match receipt.payload.timestamp_anchor.commitment_hex
python3 vraimony_verify.py --file cargo-record.pdf --receipt receipt.json --verify-anchor
# Example output:
✓ HASH SHA-256 match — file unchanged since sealing
✓ SIGNATURE ed25519 valid — receipt is authentic
✓ ANCHOR commitment verified — 2026-03-25T10:00:00.000Z
✓ VERDICT SEALED · score=91/100
LAYERS structural=100 integrity=100 policy=90 readiness=80
EVIDENCE 3 items · PASS=2 · Declared=1 · Unverified=0
OTS Submit to opentimestamps.org for Bitcoin anchoring (optional)
URL https://ots.opentimestamps.org/timestamp
The anchor commitment can also be submitted to opentimestamps.org for Bitcoin-level external anchoring at zero cost. This step is optional — the commitment is independently verifiable without it.
--verbose — evidence degree report
See PASS/Declared/Unverified with degree labels per item.
python3 vraimony_verify.py --receipt receipt.json --verbose
# Example evidence report output:
Evidence items (3):
[PASS] Bill of Lading degree=9 confidence=95 anchored=true
[Declared] Commercial Invoice degree=5 confidence=80
[Unverified] Signed change order degree=2 (missing value)
Overclaims: 0 Quality stops: passed
When to use CLI vs verify.vraimony.com
Both verify the same thing. Different contexts.
Use CLI when:
- You need verification in an air-gapped environment
- You are automating checks in a CI/CD pipeline
- You need programmatic exit codes for scripts
- You want to verify without opening a browser
Use verify.vraimony.com when:
- You are a reviewer checking a record you received
- You want to see the full reviewer-facing record
- You want to ACK, MER, or download
- You need the human-readable review path