Security Verification

Verify Our Proofs Yourself

Every build of Railguard AI publishes a signed attestation, SBOM, and cryptographic receipts. Follow the steps below to validate them using familiar tooling.

1. Fetch the Attestation

Download the build metadata from /.well-known/build-attestation.json. The payload contains the git commit, build timestamp, SBOM hash, and a detached Ed25519 signature.

2. Load the Public Key

Retrieve the public key at /.well-known/public-keys/railguard-build-ed25519.pub. We rotate keys annually and publish the fingerprints on the security page.

3. Verify the Signature

Use your preferred Ed25519 library to verify the signature against the attestation payload. The example below uses tweetnacl in a browser environment.

import nacl from "tweetnacl"
import { decode as decodeBase64 } from "base64-arraybuffer"

async function verifyAttestation() {
  const [attestation, publicKey] = await Promise.all([
    fetch("/.well-known/build-attestation.json").then((res) => res.json()),
    fetch("/.well-known/public-keys/railguard-build-ed25519.pub")
      .then((res) => res.text())
      .then((text) => text.trim().replace(/^-----BEGIN PUBLIC KEY-----/, "").replace(/-----END PUBLIC KEY-----$/, ""))
  ])

  const encoder = new TextEncoder()
  const message = encoder.encode(JSON.stringify({ ...attestation, signature: undefined }))
  const signature = new Uint8Array(decodeBase64(attestation.signature.signatureBase64))
  const key = new Uint8Array(decodeBase64(publicKey))

  const verified = nacl.sign.detached.verify(message, signature, key)
  return verified // Return verification result instead of logging
}

verifyAttestation().catch(() => false)

4. Cross-check the SBOM

Compare the sbomDigest field from the attestation with the SBOM download available on the SBOM page. Hash the SBOM JSON locally and ensure it matches.

# Download SBOM and calculate SHA-256 hash
curl -s https://railguard.ai/.well-known/railguard-gateway-sbom.json | sha256sum

# Compare with attestation sbomDigest field
curl -s https://railguard.ai/.well-known/build-attestation.json | jq -r '.sbomDigest'

Need help?

Our security engineering team can walk through the verification process live. Email security@railguard.ai to schedule time or request PGP-signed responses.

Verification Guide | Railguard AI | Railguard AI