Verify a signed evidence pack
An unsigned PDF is a claim; a signed evidence pack is checkable. PQLens signs compliance evidence with ML-DSA-65 — a NIST-standardised post-quantum signature (FIPS 204) — and anyone, license or not, can verify a pack in one command.
pqlens verify evidence.json
How it works
- Get the evidence pack file (produced by a Compliance-tier
--format evidencerun, or pushed to a GRC platform). - Run
pqlens verifyon it — verification is free and needs no license. - The pack’s canonical JSON is re-hashed and compared to its
integritySha256, then the ML-DSA-65 signature is checked against the issuer’s public key (identified by itskid). - Exit code 0 means intact and authentic; a tampered or forged pack exits non-zero. Change one byte and watch it fail.
Why sign a post-quantum readiness report with post-quantum signatures
It would be strange to attest quantum readiness with a signature scheme the report itself classifies as quantum-vulnerable. ML-DSA-65 is the FIPS 204 lattice signature standardised by NIST in 2024 — the report is signed with the class of cryptography it recommends. Producing signed packs is the Compliance tier; issuers create their key once with pqlens keygen.
The engine is open source
Canonical JSON, the integrity hash, and ML-DSA-65 signing and verification live in cybxsan-evidence, an Apache-2.0 Go module shared with other CybXSan tools. You do not have to trust our binary to trust the format — read the code, or reimplement verification yourself.
What is actually inside a pack
The classified findings, scan metadata, compliance mappings (PCI DSS 12.3.3, ISO 27001 A.8.24, CNSA 2.0 targets) and, if white-labelled, the branding — all inside the hashed, signed record, so none of it can be altered after signing. Packs that are pushed to a GRC platform are redacted before signing: algorithm names, statuses and counts, never code or paths.
Frequently asked questions
Do I need a license to verify a pack?
No. Verification is free for everyone — that is the point. Producing signed packs is the Compliance tier.
What is ML-DSA-65?
The NIST-standardised lattice-based digital signature (FIPS 204, 2024), at security category 3. It is believed secure against both classical and quantum attackers — "believed" is the honest word; that is why nothing is called quantum-proof.
What happens if a pack was tampered with?
The canonical hash or the signature check fails and pqlens verify exits non-zero, telling you which check failed. Even a one-byte change is caught.
How do I know which issuer signed a pack?
Each pack carries a kid — a fingerprint derived from the issuer public key (SHA-256 of the key, truncated). Match it against the issuer key its owner published.