PQLensGuides › Verify a signed evidence pack
100% local · nothing leaves your machine

Verify a signed evidence pack

An unsigned PDF is a claim; a signed evidence pack is checkable. PQLens signs compliance evidence with ML-DSA-65 — a NIST-standardised post-quantum signature (FIPS 204) — and anyone, license or not, can verify a pack in one command.

pqlens verify evidence.json
Free · all ten surfaces · 100% local — nothing about your code, configs or certificates leaves the machine

How it works

  1. Get the evidence pack file (produced by a Compliance-tier --format evidence run, or pushed to a GRC platform).
  2. Run pqlens verify on it — verification is free and needs no license.
  3. The pack’s canonical JSON is re-hashed and compared to its integritySha256, then the ML-DSA-65 signature is checked against the issuer’s public key (identified by its kid).
  4. Exit code 0 means intact and authentic; a tampered or forged pack exits non-zero. Change one byte and watch it fail.

Why sign a post-quantum readiness report with post-quantum signatures

It would be strange to attest quantum readiness with a signature scheme the report itself classifies as quantum-vulnerable. ML-DSA-65 is the FIPS 204 lattice signature standardised by NIST in 2024 — the report is signed with the class of cryptography it recommends. Producing signed packs is the Compliance tier; issuers create their key once with pqlens keygen.

The engine is open source

Canonical JSON, the integrity hash, and ML-DSA-65 signing and verification live in cybxsan-evidence, an Apache-2.0 Go module shared with other CybXSan tools. You do not have to trust our binary to trust the format — read the code, or reimplement verification yourself.

What is actually inside a pack

The classified findings, scan metadata, compliance mappings (PCI DSS 12.3.3, ISO 27001 A.8.24, CNSA 2.0 targets) and, if white-labelled, the branding — all inside the hashed, signed record, so none of it can be altered after signing. Packs that are pushed to a GRC platform are redacted before signing: algorithm names, statuses and counts, never code or paths.

Frequently asked questions

Do I need a license to verify a pack?

No. Verification is free for everyone — that is the point. Producing signed packs is the Compliance tier.

What is ML-DSA-65?

The NIST-standardised lattice-based digital signature (FIPS 204, 2024), at security category 3. It is believed secure against both classical and quantum attackers — "believed" is the honest word; that is why nothing is called quantum-proof.

What happens if a pack was tampered with?

The canonical hash or the signature check fails and pqlens verify exits non-zero, telling you which check failed. Even a one-byte change is caught.

How do I know which issuer signed a pack?

Each pack carries a kid — a fingerprint derived from the issuer public key (SHA-256 of the key, truncated). Match it against the issuer key its owner published.

Related guides

PQLens by CybXSan · The evidence engine is open source: cybxsan-evidence.
We never claim “quantum-proof.” Verdicts follow NIST FIPS 203–205 and CNSA 2.0.