TailNumberHash-Signing as a Service · HSaaS☰ Dashboard🔒 HSM  signed in: rketcham · admin
⚠ DEV MODE — open access; ACL visibility bypassed. Audit still records the true identity.

group: tailnumber-admins

Sign (compose the algorithm)

Pick a key, then compose the signature: RSA exposes padding, digest, and PSS salt; ECDSA exposes the digest; ML-DSA is parameter-free. The live signing profile shows exactly what will be produced.

Do it yourself — OpenSSL sign & verify (offline)

Uses the files from this key’s Bundle .zip (private/, certs/, ca/). The commands follow the composed options above.

Hybrid signing (classical + post-quantum)

Signs the same digest with a classical and a post-quantum key. The envelope stays valid as long as either algorithm holds, and verifies only if both do — the recommended posture during the PQC transition.

Needs at least one classical key (RSA / ECDSA) and one post-quantum key (ML-DSA). Create both (Keys → Create a new key), then reload.

Verify an envelope

Confirms the signature is valid for the stored key. Add the original file and it also confirms the file still hashes to the signed digest — i.e. this envelope belongs to that file and nothing changed. The file is hashed in your browser and never uploaded. Hybrid envelopes (two components) are detected automatically.

Keys (click a key for details)

Each key is a signer identity — a keypair whose certificate is issued by the TailNumber CA. Click a key to expand its details, copy its label or SPKI, download a Bundle .zip, or delete it.

tailnumber-codesign-01rsa3072rsa3072-pss-sha256, rsa3072-pkcs1-sha256expires Jul 10 17:26:17 2076 GMT
labeltailnumber-codesign-01
subjectDC = com, DC = rayketcham, OU = CodeSigning, CN = tailnumber-codesign-01
key typersa3072
sig alg(s)rsa3072-pss-sha256, rsa3072-pkcs1-sha256
SPKI sha2562a6ceb31e4d4d2c370d6c1c66598c5fd0cfb35aa71deacf4256df3c0b8b3afc4
valid fromJul 10 17:26:17 2026 GMT
valid untilJul 10 17:26:17 2076 GMT
Provenance & governance
usage / purposecode signing
created byhsm-finish
created2026-07-10T17:26:17Z
reason / purposeSoftHSM cutover
created viatailnumber-keygen (local CLI)

Each key’s Bundle .zip has the cert in every format (PEM/DER/P7B), the public key, the PFX + private key, the CA trust anchor, and a verify.sh. PFX/key import password (UN/PW): ke+yJEcW2fQ8Zb+6DSx8vTqWFjh6wJBj · alias = the key label.

Create a new key — local CLI only

Key creation is not exposed over the API by design — it touches the CA private key, so it is an on-box admin operation. Run tailnumber-keygen as the service user; it records who / why / PMA approval as provenance shown with the key:

sudo -u tailnumber \
  TAILNUMBER_CONFIG=/etc/tailnumber/config.toml \
  LD_LIBRARY_PATH=/opt/openssl-3.5/lib64 PFXPASS="$(cat /etc/tailnumber/pfxpass)" \
  /opt/tailnumber/tools/tailnumber-keygen --label fw-signer-01 --alg ml-dsa-65 \
    --created-by "$(whoami)" --reason "Platform-42 firmware signing" \
    --approved-by "QA / Airworthiness" --pma PMA-2026-0142 \
    --approval-date 2026-07-09 --program SPEC42 --dal B --environment production

sig_alg options: rsa3072-pss-sha256 · rsa3072-pkcs1-sha256 · rsa4096-pss-sha384 · rsa4096-pkcs1-sha384 · ecdsa-p384-sha384 · ml-dsa-65 · ml-dsa-87

Signing CA (trust anchor)

Two-tier X.509 hierarchy: an offline-style Root CA anchors trust and an Issuing CA signs the leaf signer certificates. Every signature is trusted by chaining its certificate to this root — a forged self-signed cert with the same name fails the chain. Validity is sized to the platform lifetime (Root 55y · Issuing 54y · Signer 50y). Click a CA for its key type, serial, full DN, and fingerprint.

Root CAExample Root CAEC P-384 (ECDSA)expires Jul 10 17:26:17 2081 GMT
roleRoot CA
common nameExample Root CA
subject DNDC=com, DC=rayketcham, O=CAs, OU=RootCA, CN=Example Root CA
keyEC P-384 (ECDSA)
serial0905EBE683D4AE47FD98B46FCA915DF6EA0092B0
valid fromJul 10 17:26:17 2026 GMT
valid untilJul 10 17:26:17 2081 GMT
SHA-256 fingerprintD8:14:4C:EA:81:07:81:E8:1E:46:84:29:1A:98:3B:1C:55:00:06:09:52:12:9A:39:A6:8E:98:D6:36:CA:4B:30
Issuing CAExample Code Signing Issuing CAEC P-384 (ECDSA)expires Jul 10 17:26:17 2080 GMT
roleIssuing CA
common nameExample Code Signing Issuing CA
subject DNDC=com, DC=rayketcham, O=CAs, OU=CodeSigningCA, CN=Example Code Signing Issuing CA
keyEC P-384 (ECDSA)
serialEA040BB10DA3F7BB78350CF024EDD85E
valid fromJul 10 17:26:17 2026 GMT
valid untilJul 10 17:26:17 2080 GMT
SHA-256 fingerprintB1:27:C6:FD:24:3F:32:82:86:EE:3A:68:28:B8:99:DF:ED:B1:5E:49:29:79:4B:11:4A:0A:AE:A6:8F:DC:64:9C
OpenSSL output — captured when the CA was created

TailNumber signing CA — OpenSSL output captured at creation

captured: 2026-07-10T17:26:17Z

dir: /etc/tailnumber/keys/_ca

generation (gen-signing-ca.sh)

HSM CA in token 'tailnumber' via /usr/lib/softhsm/libsofthsm2.so

root key generated in HSM (label tn-root)

issuing key generated in HSM (label tn-issuing)

root + issuing certs issued (CA keys never leave the HSM)

Root CA (openssl x509 -text)

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            09:05:eb:e6:83:d4:ae:47:fd:98:b4:6f:ca:91:5d:f6:ea:00:92:b0
        Signature Algorithm: ecdsa-with-SHA256
        Issuer: DC=com, DC=rayketcham, O=CAs, OU=RootCA, CN=Example Root CA
        Validity
            Not Before: Jul 10 17:26:17 2026 GMT
            Not After : Jul 10 17:26:17 2081 GMT
        Subject: DC=com, DC=rayketcham, O=CAs, OU=RootCA, CN=Example Root CA
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (384 bit)
                pub:
                    04:26:3b:18:0d:50:05:6e:a5:87:c4:83:e6:c0:b5:
                    9a:10:4c:16:90:27:14:1d:c9:22:63:95:69:96:c9:
                    ee:8b:3f:58:8b:03:74:78:91:6f:9c:c1:9b:55:a9:
                    2a:66:e9:93:8e:b0:17:26:e0:76:74:89:9f:7e:18:
                    65:4b:9b:1d:53:21:e9:e8:13:61:ab:f7:df:73:b4:
                    da:6c:d7:fa:86:f4:e3:0a:98:32:da:54:e6:93:43:
                    dd:d5:ed:fe:18:7b:5c
                ASN1 OID: secp384r1
                NIST CURVE: P-384
        X509v3 extensions:
            X509v3 Authority Key Identifier:
                A7:D1:29:5E:F5:FA:5C:74:95:60:06:94:6E:3B:08:5A:E1:A1:73:44
            X509v3 Basic Constraints: critical
                CA:TRUE, pathlen:1
            X509v3 Key Usage: critical
                Certificate Sign, CRL Sign
            X509v3 Subject Key Identifier:
                A7:D1:29:5E:F5:FA:5C:74:95:60:06:94:6E:3B:08:5A:E1:A1:73:44
    Signature Algorithm: ecdsa-with-SHA256
    Signature Value:
        30:64:02:30:5a:9a:67:bf:15:c0:b7:79:b3:c1:26:71:fe:64:
        0a:51:42:d5:57:ce:e9:f4:bd:36:53:96:9d:34:d0:b4:40:89:
        10:36:9d:9d:0e:ab:3a:79:34:e9:6b:94:8b:75:35:be:02:30:
        14:03:7e:36:0a:de:bd:50:e9:94:13:28:5b:56:fd:49:d5:fe:
        53:96:15:e7:16:c6:80:47:07:8a:23:bb:7a:ef:1e:4c:82:cd:
        39:05:9c:8a:69:75:c1:0c:f1:df:6c:cd
sha256 Fingerprint=D8:14:4C:EA:81:07:81:E8:1E:46:84:29:1A:98:3B:1C:55:00:06:09:52:12:9A:39:A6:8E:98:D6:36:CA:4B:30

Issuing CA (openssl x509 -text)

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            ea:04:0b:b1:0d:a3:f7:bb:78:35:0c:f0:24:ed:d8:5e
        Signature Algorithm: ecdsa-with-SHA256
        Issuer: DC=com, DC=rayketcham, O=CAs, OU=RootCA, CN=Example Root CA
        Validity
            Not Before: Jul 10 17:26:17 2026 GMT
            Not After : Jul 10 17:26:17 2080 GMT
        Subject: DC=com, DC=rayketcham, O=CAs, OU=CodeSigningCA, CN=Example Code Signing Issuing CA
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (384 bit)
                pub:
                    04:e7:75:d1:17:db:dd:89:e2:a8:86:8e:b7:30:7f:
                    2c:29:9d:3d:bd:4e:37:7c:66:67:e8:93:4d:f7:0f:
                    66:2b:19:5e:61:6f:f2:10:85:8d:34:43:e6:70:50:
                    83:71:a5:ed:6f:88:28:6f:a7:b0:4a:9a:ce:06:da:
                    9d:38:55:a0:45:e1:d3:71:fe:16:df:5e:b2:e6:64:
                    27:eb:d5:62:63:58:62:0b:0c:86:c2:23:e5:cb:74:
                    f7:04:2e:07:b9:1c:98
                ASN1 OID: secp384r1
                NIST CURVE: P-384
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:TRUE, pathlen:0
            X509v3 Key Usage: critical
                Certificate Sign, CRL Sign
            X509v3 Extended Key Usage:
                Code Signing
            X509v3 Subject Key Identifier:
                E7:50:8F:B9:B1:59:96:68:84:13:85:13:3D:35:F8:C4:9D:D6:FB:69
            X509v3 Authority Key Identifier:
                A7:D1:29:5E:F5:FA:5C:74:95:60:06:94:6E:3B:08:5A:E1:A1:73:44
    Signature Algorithm: ecdsa-with-SHA256
    Signature Value:
        30:65:02:31:00:c6:4b:8e:78:35:cc:64:a2:ff:c2:4e:c8:2d:
        58:92:55:5e:ce:e3:03:11:97:86:60:f8:05:66:be:ae:c1:77:
        ba:93:65:56:f6:e8:2c:c2:df:9b:7e:36:3f:81:28:fb:d6:02:
        30:47:37:7b:78:03:a9:28:b6:09:d0:78:34:f9:53:db:ae:1c:
        fc:9d:c5:22:23:b4:21:2f:a8:65:99:cc:1c:7b:e9:0f:6c:6f:
        cb:90:fe:4f:7f:ab:3d:99:a4:34:28:a3:0b
sha256 Fingerprint=B1:27:C6:FD:24:3F:32:82:86:EE:3A:68:28:B8:99:DF:ED:B1:5E:49:29:79:4B:11:4A:0A:AE:A6:8F:DC:64:9C
Root certificate (PEM) — publish to verifiers
-----BEGIN CERTIFICATE-----
MIICejCCAgGgAwIBAgIUCQXr5oPUrkf9mLRvypFd9uoAkrAwCgYIKoZIzj0EAwIw
ajETMBEGCgmSJomT8ixkARkWA2NvbTEaMBgGCgmSJomT8ixkARkWCnJheWtldGNo
YW0xDDAKBgNVBAoMA0NBczEPMA0GA1UECwwGUm9vdENBMRgwFgYDVQQDDA9FeGFt
cGxlIFJvb3QgQ0EwIBcNMjYwNzEwMTcyNjE3WhgPMjA4MTA3MTAxNzI2MTdaMGox
EzARBgoJkiaJk/IsZAEZFgNjb20xGjAYBgoJkiaJk/IsZAEZFgpyYXlrZXRjaGFt
MQwwCgYDVQQKDANDQXMxDzANBgNVBAsMBlJvb3RDQTEYMBYGA1UEAwwPRXhhbXBs
ZSBSb290IENBMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEJjsYDVAFbqWHxIPmwLWa
EEwWkCcUHckiY5Vplsnuiz9YiwN0eJFvnMGbVakqZumTjrAXJuB2dImffhhlS5sd
UyHp6BNhq/ffc7TabNf6hvTjCpgy2lTmk0Pd1e3+GHtco2YwZDAfBgNVHSMEGDAW
gBSn0Sle9fpcdJVgBpRuOwha4aFzRDASBgNVHRMBAf8ECDAGAQH/AgEBMA4GA1Ud
DwEB/wQEAwIBBjAdBgNVHQ4EFgQUp9EpXvX6XHSVYAaUbjsIWuGhc0QwCgYIKoZI
zj0EAwIDZwAwZAIwWppnvxXAt3mzwSZx/mQKUULVV87p9L02U5adNNC0QIkQNp2d
Dqs6eTTpa5SLdTW+AjAUA342Ct69UOmUEyhbVv1J1f5TlhXnFsaARweKI7t67x5M
gs05BZyKaXXBDPHfbM0=
-----END CERTIFICATE-----

API: status /CRLs/tailnumber/api/v1/ca · anchor /CRLs/tailnumber/api/v1/ca/root

Usage metrics (from the audit log)

41
total operations
22
signatures
12
verifications
85.4%
success rate
2
active identities

Operations per hour · last 24h

00: 00001: 002: 003: 00304: 005: 006: 00607: 008: 009: 00910: 011: 012: 01213: 014: 015: 01516: 017: 018: 01819: 020: 021: 332122: 023: 0

Operations per day · last 14d

06/28: 006/2806/29: 006/30: 006/3007/01: 007/02: 007/0207/03: 007/04: 007/0407/05: 007/06: 007/0607/07: 007/08: 007/0807/09: 007/10: 383807/1007/11: 33

By action

sign22
verify12
ca-setup4
verify-batch2
create-key1

By digest algorithm

sha25634

Generated 2026-07-11T23:43:46Z from 41 recent records · API: /api/v1/metrics.

Audit log (hash-chained)

✓ chain verified — 41 records

showing 41 · signs 22 · verifies 12 · create-key 1 · ca-setup 4 · top keys: tailnumber-codesign-01×21, tailnumber-legacy-rsa-01×1

Show 41 records
#412026-07-11T21:14:14Zrketchamverifytailnumber-codesign-01sha256192.168.1.1invalid
{
  "action": "verify",
  "actor": "rketcham",
  "client_ip": "192.168.1.1",
  "dev_mode": true,
  "digest_alg": "sha256",
  "key": "tailnumber-codesign-01",
  "result": "invalid",
  "seq": 41,
  "ts": "2026-07-11T21:14:14Z"
}
#402026-07-11T21:14:03Zrketchamverifytailnumber-codesign-01sha256192.168.1.1ok
{
  "action": "verify",
  "actor": "rketcham",
  "client_ip": "192.168.1.1",
  "dev_mode": true,
  "digest_alg": "sha256",
  "key": "tailnumber-codesign-01",
  "result": "ok",
  "seq": 40,
  "ts": "2026-07-11T21:14:03Z"
}
#392026-07-11T21:14:02Zrketchamsigntailnumber-codesign-01sha256WJG1tSLV3whtD/Cx…192.168.1.1ok

Reproducible offline with just OpenSSL + the envelope.

key=tailnumber-codesign-01 sig_alg=rsa3072-pss-sha256 digest_alg=sha256

sha256(artifact) = 5891b5b522d5df086d0ff0b110fbd9d21bb4fc7163af34d08286a2e846f6be03

openssl x509 -in leaf.crt -pubkey -noout
-----BEGIN PUBLIC KEY-----
MIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAtN8pOen7dQz2HORMWNvl
PCdy7WuwXAfH+Iy825jooEswqYiuNACQSzn7ZYUicNAoZHdb/VfBQAq8xkhV4R0V
H0LP/zUkA+6477lR6MynrfP2rijzysc/e2xejSfNlGqPZ7yBp9vWEYwWPpzqrjm8
No/D7icDoqQChwrggRULxhCONNDRSNdNaNydoWGbQcRmFS9Sbj+Gp0cWraF+FM+i
SnU0SiS4J4OB/LzaJMuGtdIjKId2EOITH91hheBGDO1rY62PXT1NiYlw6TXFKP+i
VL7c+UUyAx+B2DE7PxlohUEGZcnlfgIraTIsY0PwDvFm1+b70SJDHhShGAHWBRto
527SQ4++tNVKVHauGzuQJDdpguPtZx+MqzFoVOKp0lgHKvFU367I3Rz57biXlvzg
VZ5pk/bBESYKP9ex4X5VFmlLKFSHnXR2Prck/GUNQvpx9m39RIUNp/yLN3tTYPhk
CVt7rRI53QlhFXg8IBFJQTikjtZU1TvkDjH5+BM4u7DtAgMBAAE=
-----END PUBLIC KEY-----
openssl verify -CAfile tailnumber-signing-root.crt -untrusted issuing.crt leaf.crt
/run/tailnumber/tmpfiw9htck/leaf.crt: OK
openssl pkeyutl -verify -pubin -inkey pub.pem -in digest.bin -sigfile sig.bin -pkeyopt digest:sha256 -pkeyopt rsa_padding_mode:pss -pkeyopt rsa_pss_saltlen:digest
Signature Verified Successfully
#382026-07-10T19:38:01Zrketchamverifytailnumber-codesign-01sha256192.168.1.1ok
{
  "action": "verify",
  "actor": "rketcham",
  "client_ip": "192.168.1.1",
  "dev_mode": true,
  "digest_alg": "sha256",
  "key": "tailnumber-codesign-01",
  "result": "ok",
  "seq": 38,
  "ts": "2026-07-10T19:38:01Z"
}
#372026-07-10T19:38:01Zrketchamsigntailnumber-codesign-01sha256Fv1z+ZkFwic5+Uv5…192.168.1.1ok

Reproducible offline with just OpenSSL + the envelope.

key=tailnumber-codesign-01 sig_alg=rsa3072-pss-sha256 digest_alg=sha256

sha256(artifact) = 16fd73f99905c22739f94bf9ea7ff470c632a9de12640e9c14b09fc489afff5a

openssl x509 -in leaf.crt -pubkey -noout
-----BEGIN PUBLIC KEY-----
MIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAtN8pOen7dQz2HORMWNvl
PCdy7WuwXAfH+Iy825jooEswqYiuNACQSzn7ZYUicNAoZHdb/VfBQAq8xkhV4R0V
H0LP/zUkA+6477lR6MynrfP2rijzysc/e2xejSfNlGqPZ7yBp9vWEYwWPpzqrjm8
No/D7icDoqQChwrggRULxhCONNDRSNdNaNydoWGbQcRmFS9Sbj+Gp0cWraF+FM+i
SnU0SiS4J4OB/LzaJMuGtdIjKId2EOITH91hheBGDO1rY62PXT1NiYlw6TXFKP+i
VL7c+UUyAx+B2DE7PxlohUEGZcnlfgIraTIsY0PwDvFm1+b70SJDHhShGAHWBRto
527SQ4++tNVKVHauGzuQJDdpguPtZx+MqzFoVOKp0lgHKvFU367I3Rz57biXlvzg
VZ5pk/bBESYKP9ex4X5VFmlLKFSHnXR2Prck/GUNQvpx9m39RIUNp/yLN3tTYPhk
CVt7rRI53QlhFXg8IBFJQTikjtZU1TvkDjH5+BM4u7DtAgMBAAE=
-----END PUBLIC KEY-----
openssl verify -CAfile tailnumber-signing-root.crt -untrusted issuing.crt leaf.crt
/run/tailnumber/tmpw9kb6zd0/leaf.crt: OK
openssl pkeyutl -verify -pubin -inkey pub.pem -in digest.bin -sigfile sig.bin -pkeyopt digest:sha256 -pkeyopt rsa_padding_mode:pss -pkeyopt rsa_pss_saltlen:digest
Signature Verified Successfully
#362026-07-10T19:37:04Zrketchamverify-batch192.168.1.1ok
{
  "action": "verify-batch",
  "actor": "rketcham",
  "client_ip": "192.168.1.1",
  "count": 1,
  "dev_mode": true,
  "result": "ok",
  "seq": 36,
  "ts": "2026-07-10T19:37:04Z"
}
#352026-07-10T19:37:04Zrketchamsigntailnumber-codesign-01sha256HQyKqh/9k1FnjRIr…192.168.1.1ok

Reproducible offline with just OpenSSL + the envelope.

key=tailnumber-codesign-01 sig_alg=rsa3072-pss-sha256 digest_alg=sha256

sha256(artifact) = 1d0c8aaa1ffd9351678d122b33c218311cf539a2d1ac2a2c1a650513df71934f

openssl x509 -in leaf.crt -pubkey -noout
-----BEGIN PUBLIC KEY-----
MIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAtN8pOen7dQz2HORMWNvl
PCdy7WuwXAfH+Iy825jooEswqYiuNACQSzn7ZYUicNAoZHdb/VfBQAq8xkhV4R0V
H0LP/zUkA+6477lR6MynrfP2rijzysc/e2xejSfNlGqPZ7yBp9vWEYwWPpzqrjm8
No/D7icDoqQChwrggRULxhCONNDRSNdNaNydoWGbQcRmFS9Sbj+Gp0cWraF+FM+i
SnU0SiS4J4OB/LzaJMuGtdIjKId2EOITH91hheBGDO1rY62PXT1NiYlw6TXFKP+i
VL7c+UUyAx+B2DE7PxlohUEGZcnlfgIraTIsY0PwDvFm1+b70SJDHhShGAHWBRto
527SQ4++tNVKVHauGzuQJDdpguPtZx+MqzFoVOKp0lgHKvFU367I3Rz57biXlvzg
VZ5pk/bBESYKP9ex4X5VFmlLKFSHnXR2Prck/GUNQvpx9m39RIUNp/yLN3tTYPhk
CVt7rRI53QlhFXg8IBFJQTikjtZU1TvkDjH5+BM4u7DtAgMBAAE=
-----END PUBLIC KEY-----
openssl verify -CAfile tailnumber-signing-root.crt -untrusted issuing.crt leaf.crt
/run/tailnumber/tmpp6jcmen8/leaf.crt: OK
openssl pkeyutl -verify -pubin -inkey pub.pem -in digest.bin -sigfile sig.bin -pkeyopt digest:sha256 -pkeyopt rsa_padding_mode:pss -pkeyopt rsa_pss_saltlen:digest
Signature Verified Successfully
#342026-07-10T19:37:04Zrketchamsigntailnumber-codesign-01sha256HQyKqh/9k1FnjRIr…192.168.1.1ok

Reproducible offline with just OpenSSL + the envelope.

key=tailnumber-codesign-01 sig_alg=rsa3072-pss-sha256 digest_alg=sha256

sha256(artifact) = 1d0c8aaa1ffd9351678d122b33c218311cf539a2d1ac2a2c1a650513df71934f

openssl x509 -in leaf.crt -pubkey -noout
-----BEGIN PUBLIC KEY-----
MIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAtN8pOen7dQz2HORMWNvl
PCdy7WuwXAfH+Iy825jooEswqYiuNACQSzn7ZYUicNAoZHdb/VfBQAq8xkhV4R0V
H0LP/zUkA+6477lR6MynrfP2rijzysc/e2xejSfNlGqPZ7yBp9vWEYwWPpzqrjm8
No/D7icDoqQChwrggRULxhCONNDRSNdNaNydoWGbQcRmFS9Sbj+Gp0cWraF+FM+i
SnU0SiS4J4OB/LzaJMuGtdIjKId2EOITH91hheBGDO1rY62PXT1NiYlw6TXFKP+i
VL7c+UUyAx+B2DE7PxlohUEGZcnlfgIraTIsY0PwDvFm1+b70SJDHhShGAHWBRto
527SQ4++tNVKVHauGzuQJDdpguPtZx+MqzFoVOKp0lgHKvFU367I3Rz57biXlvzg
VZ5pk/bBESYKP9ex4X5VFmlLKFSHnXR2Prck/GUNQvpx9m39RIUNp/yLN3tTYPhk
CVt7rRI53QlhFXg8IBFJQTikjtZU1TvkDjH5+BM4u7DtAgMBAAE=
-----END PUBLIC KEY-----
openssl verify -CAfile tailnumber-signing-root.crt -untrusted issuing.crt leaf.crt
/run/tailnumber/tmp_3w_ph0l/leaf.crt: OK
openssl pkeyutl -verify -pubin -inkey pub.pem -in digest.bin -sigfile sig.bin -pkeyopt digest:sha256 -pkeyopt rsa_padding_mode:pss -pkeyopt rsa_pss_saltlen:digest
Signature Verified Successfully
#332026-07-10T19:37:04Zrketchamverifytailnumber-codesign-01sha256192.168.1.1ok
{
  "action": "verify",
  "actor": "rketcham",
  "client_ip": "192.168.1.1",
  "dev_mode": true,
  "digest_alg": "sha256",
  "key": "tailnumber-codesign-01",
  "result": "ok",
  "seq": 33,
  "ts": "2026-07-10T19:37:04Z"
}
#322026-07-10T19:37:04Zrketchamverifytailnumber-codesign-01sha256192.168.1.1ok
{
  "action": "verify",
  "actor": "rketcham",
  "client_ip": "192.168.1.1",
  "dev_mode": true,
  "digest_alg": "sha256",
  "key": "tailnumber-codesign-01",
  "result": "ok",
  "seq": 32,
  "ts": "2026-07-10T19:37:04Z"
}
#312026-07-10T19:37:04Zrketchamverifytailnumber-codesign-01sha256192.168.1.1ok
{
  "action": "verify",
  "actor": "rketcham",
  "client_ip": "192.168.1.1",
  "dev_mode": true,
  "digest_alg": "sha256",
  "key": "tailnumber-codesign-01",
  "profile": "digest-as-message",
  "result": "ok",
  "seq": 31,
  "ts": "2026-07-10T19:37:04Z"
}
#302026-07-10T19:37:03Zrketchamsigntailnumber-codesign-01sha256HQyKqh/9k1FnjRIr…192.168.1.1ok

Reproducible offline with just OpenSSL + the envelope.

key=tailnumber-codesign-01 sig_alg=rsa3072-pss-sha256 digest_alg=sha256

sha256(artifact) = 1d0c8aaa1ffd9351678d122b33c218311cf539a2d1ac2a2c1a650513df71934f

openssl x509 -in leaf.crt -pubkey -noout
-----BEGIN PUBLIC KEY-----
MIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAtN8pOen7dQz2HORMWNvl
PCdy7WuwXAfH+Iy825jooEswqYiuNACQSzn7ZYUicNAoZHdb/VfBQAq8xkhV4R0V
H0LP/zUkA+6477lR6MynrfP2rijzysc/e2xejSfNlGqPZ7yBp9vWEYwWPpzqrjm8
No/D7icDoqQChwrggRULxhCONNDRSNdNaNydoWGbQcRmFS9Sbj+Gp0cWraF+FM+i
SnU0SiS4J4OB/LzaJMuGtdIjKId2EOITH91hheBGDO1rY62PXT1NiYlw6TXFKP+i
VL7c+UUyAx+B2DE7PxlohUEGZcnlfgIraTIsY0PwDvFm1+b70SJDHhShGAHWBRto
527SQ4++tNVKVHauGzuQJDdpguPtZx+MqzFoVOKp0lgHKvFU367I3Rz57biXlvzg
VZ5pk/bBESYKP9ex4X5VFmlLKFSHnXR2Prck/GUNQvpx9m39RIUNp/yLN3tTYPhk
CVt7rRI53QlhFXg8IBFJQTikjtZU1TvkDjH5+BM4u7DtAgMBAAE=
-----END PUBLIC KEY-----
openssl verify -CAfile tailnumber-signing-root.crt -untrusted issuing.crt leaf.crt
/run/tailnumber/tmpknzimpmd/leaf.crt: OK
openssl pkeyutl -verify -pubin -inkey pub.pem -in digest.bin -sigfile sig.bin -pkeyopt digest:sha256 -pkeyopt rsa_padding_mode:pss -pkeyopt rsa_pss_saltlen:digest
Signature Verified Successfully
#292026-07-10T19:37:03Zrketchamsigntailnumber-codesign-01sha256HQyKqh/9k1FnjRIr…192.168.1.1ok

Reproducible offline with just OpenSSL + the envelope.

key=tailnumber-codesign-01 sig_alg=rsa3072-pss-sha256 digest_alg=sha256

sha256(artifact) = 1d0c8aaa1ffd9351678d122b33c218311cf539a2d1ac2a2c1a650513df71934f

openssl x509 -in leaf.crt -pubkey -noout
-----BEGIN PUBLIC KEY-----
MIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAtN8pOen7dQz2HORMWNvl
PCdy7WuwXAfH+Iy825jooEswqYiuNACQSzn7ZYUicNAoZHdb/VfBQAq8xkhV4R0V
H0LP/zUkA+6477lR6MynrfP2rijzysc/e2xejSfNlGqPZ7yBp9vWEYwWPpzqrjm8
No/D7icDoqQChwrggRULxhCONNDRSNdNaNydoWGbQcRmFS9Sbj+Gp0cWraF+FM+i
SnU0SiS4J4OB/LzaJMuGtdIjKId2EOITH91hheBGDO1rY62PXT1NiYlw6TXFKP+i
VL7c+UUyAx+B2DE7PxlohUEGZcnlfgIraTIsY0PwDvFm1+b70SJDHhShGAHWBRto
527SQ4++tNVKVHauGzuQJDdpguPtZx+MqzFoVOKp0lgHKvFU367I3Rz57biXlvzg
VZ5pk/bBESYKP9ex4X5VFmlLKFSHnXR2Prck/GUNQvpx9m39RIUNp/yLN3tTYPhk
CVt7rRI53QlhFXg8IBFJQTikjtZU1TvkDjH5+BM4u7DtAgMBAAE=
-----END PUBLIC KEY-----
openssl verify -CAfile tailnumber-signing-root.crt -untrusted issuing.crt leaf.crt
/run/tailnumber/tmpjsxz916c/leaf.crt: OK
openssl pkeyutl -verify -pubin -inkey pub.pem -in digest.bin -sigfile sig.bin -pkeyopt digest:sha256 -pkeyopt rsa_padding_mode:pss -pkeyopt rsa_pss_saltlen:digest
Signature Verified Successfully
#282026-07-10T19:37:03Zrketchamsigntailnumber-codesign-01sha256HQyKqh/9k1FnjRIr…192.168.1.1ok

Reproducible offline with just OpenSSL + the envelope.

key=tailnumber-codesign-01 sig_alg=rsa3072-pss-sha256 digest_alg=sha256

sha256(artifact) = 1d0c8aaa1ffd9351678d122b33c218311cf539a2d1ac2a2c1a650513df71934f

openssl x509 -in leaf.crt -pubkey -noout
-----BEGIN PUBLIC KEY-----
MIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAtN8pOen7dQz2HORMWNvl
PCdy7WuwXAfH+Iy825jooEswqYiuNACQSzn7ZYUicNAoZHdb/VfBQAq8xkhV4R0V
H0LP/zUkA+6477lR6MynrfP2rijzysc/e2xejSfNlGqPZ7yBp9vWEYwWPpzqrjm8
No/D7icDoqQChwrggRULxhCONNDRSNdNaNydoWGbQcRmFS9Sbj+Gp0cWraF+FM+i
SnU0SiS4J4OB/LzaJMuGtdIjKId2EOITH91hheBGDO1rY62PXT1NiYlw6TXFKP+i
VL7c+UUyAx+B2DE7PxlohUEGZcnlfgIraTIsY0PwDvFm1+b70SJDHhShGAHWBRto
527SQ4++tNVKVHauGzuQJDdpguPtZx+MqzFoVOKp0lgHKvFU367I3Rz57biXlvzg
VZ5pk/bBESYKP9ex4X5VFmlLKFSHnXR2Prck/GUNQvpx9m39RIUNp/yLN3tTYPhk
CVt7rRI53QlhFXg8IBFJQTikjtZU1TvkDjH5+BM4u7DtAgMBAAE=
-----END PUBLIC KEY-----
openssl verify -CAfile tailnumber-signing-root.crt -untrusted issuing.crt leaf.crt
/run/tailnumber/tmp7okgea6k/leaf.crt: OK
openssl pkeyutl -verify -pubin -inkey pub.pem -in digest.bin -sigfile sig.bin -pkeyopt digest:sha256 -pkeyopt rsa_padding_mode:pss -pkeyopt rsa_pss_saltlen:digest
Signature Verified Successfully
#272026-07-10T19:31:20Zrketchamverify-batch192.168.1.1ok
{
  "action": "verify-batch",
  "actor": "rketcham",
  "client_ip": "192.168.1.1",
  "count": 1,
  "dev_mode": true,
  "result": "ok",
  "seq": 27,
  "ts": "2026-07-10T19:31:20Z"
}
#262026-07-10T19:31:20Zrketchamsigntailnumber-codesign-01sha256ii6wuZRM7JRFV4CL…192.168.1.1ok

Reproducible offline with just OpenSSL + the envelope.

key=tailnumber-codesign-01 sig_alg=rsa3072-pss-sha256 digest_alg=sha256

sha256(artifact) = 8a2eb0b9944cec944557808b0be6ec5e2e22d0eee944c3e1818f2ff0ad0dda07

openssl x509 -in leaf.crt -pubkey -noout
-----BEGIN PUBLIC KEY-----
MIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAtN8pOen7dQz2HORMWNvl
PCdy7WuwXAfH+Iy825jooEswqYiuNACQSzn7ZYUicNAoZHdb/VfBQAq8xkhV4R0V
H0LP/zUkA+6477lR6MynrfP2rijzysc/e2xejSfNlGqPZ7yBp9vWEYwWPpzqrjm8
No/D7icDoqQChwrggRULxhCONNDRSNdNaNydoWGbQcRmFS9Sbj+Gp0cWraF+FM+i
SnU0SiS4J4OB/LzaJMuGtdIjKId2EOITH91hheBGDO1rY62PXT1NiYlw6TXFKP+i
VL7c+UUyAx+B2DE7PxlohUEGZcnlfgIraTIsY0PwDvFm1+b70SJDHhShGAHWBRto
527SQ4++tNVKVHauGzuQJDdpguPtZx+MqzFoVOKp0lgHKvFU367I3Rz57biXlvzg
VZ5pk/bBESYKP9ex4X5VFmlLKFSHnXR2Prck/GUNQvpx9m39RIUNp/yLN3tTYPhk
CVt7rRI53QlhFXg8IBFJQTikjtZU1TvkDjH5+BM4u7DtAgMBAAE=
-----END PUBLIC KEY-----
openssl verify -CAfile tailnumber-signing-root.crt -untrusted issuing.crt leaf.crt
/run/tailnumber/tmp1tot1_iv/leaf.crt: OK
openssl pkeyutl -verify -pubin -inkey pub.pem -in digest.bin -sigfile sig.bin -pkeyopt digest:sha256 -pkeyopt rsa_padding_mode:pss -pkeyopt rsa_pss_saltlen:digest
Signature Verified Successfully
#252026-07-10T19:31:20Zrketchamsigntailnumber-codesign-01sha256ii6wuZRM7JRFV4CL…192.168.1.1ok

Reproducible offline with just OpenSSL + the envelope.

key=tailnumber-codesign-01 sig_alg=rsa3072-pss-sha256 digest_alg=sha256

sha256(artifact) = 8a2eb0b9944cec944557808b0be6ec5e2e22d0eee944c3e1818f2ff0ad0dda07

openssl x509 -in leaf.crt -pubkey -noout
-----BEGIN PUBLIC KEY-----
MIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAtN8pOen7dQz2HORMWNvl
PCdy7WuwXAfH+Iy825jooEswqYiuNACQSzn7ZYUicNAoZHdb/VfBQAq8xkhV4R0V
H0LP/zUkA+6477lR6MynrfP2rijzysc/e2xejSfNlGqPZ7yBp9vWEYwWPpzqrjm8
No/D7icDoqQChwrggRULxhCONNDRSNdNaNydoWGbQcRmFS9Sbj+Gp0cWraF+FM+i
SnU0SiS4J4OB/LzaJMuGtdIjKId2EOITH91hheBGDO1rY62PXT1NiYlw6TXFKP+i
VL7c+UUyAx+B2DE7PxlohUEGZcnlfgIraTIsY0PwDvFm1+b70SJDHhShGAHWBRto
527SQ4++tNVKVHauGzuQJDdpguPtZx+MqzFoVOKp0lgHKvFU367I3Rz57biXlvzg
VZ5pk/bBESYKP9ex4X5VFmlLKFSHnXR2Prck/GUNQvpx9m39RIUNp/yLN3tTYPhk
CVt7rRI53QlhFXg8IBFJQTikjtZU1TvkDjH5+BM4u7DtAgMBAAE=
-----END PUBLIC KEY-----
openssl verify -CAfile tailnumber-signing-root.crt -untrusted issuing.crt leaf.crt
/run/tailnumber/tmp389mio8u/leaf.crt: OK
openssl pkeyutl -verify -pubin -inkey pub.pem -in digest.bin -sigfile sig.bin -pkeyopt digest:sha256 -pkeyopt rsa_padding_mode:pss -pkeyopt rsa_pss_saltlen:digest
Signature Verified Successfully
#242026-07-10T19:30:30Zrketchamverifytailnumber-codesign-01sha256127.0.0.1ok
{
  "action": "verify",
  "actor": "rketcham",
  "client_ip": "127.0.0.1",
  "dev_mode": true,
  "digest_alg": "sha256",
  "key": "tailnumber-codesign-01",
  "result": "ok",
  "seq": 24,
  "ts": "2026-07-10T19:30:30Z"
}
#232026-07-10T19:30:30Zrketchamsigntailnumber-codesign-01sha256Ebox1VnsHlBVr2nC…127.0.0.1ok

Reproducible offline with just OpenSSL + the envelope.

key=tailnumber-codesign-01 sig_alg=rsa3072-pss-sha256 digest_alg=sha256

sha256(artifact) = 11ba31d559ec1e5055af69c282d690e9bc0313edc54b00b53c9f7b37436dac01

openssl x509 -in leaf.crt -pubkey -noout
-----BEGIN PUBLIC KEY-----
MIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAtN8pOen7dQz2HORMWNvl
PCdy7WuwXAfH+Iy825jooEswqYiuNACQSzn7ZYUicNAoZHdb/VfBQAq8xkhV4R0V
H0LP/zUkA+6477lR6MynrfP2rijzysc/e2xejSfNlGqPZ7yBp9vWEYwWPpzqrjm8
No/D7icDoqQChwrggRULxhCONNDRSNdNaNydoWGbQcRmFS9Sbj+Gp0cWraF+FM+i
SnU0SiS4J4OB/LzaJMuGtdIjKId2EOITH91hheBGDO1rY62PXT1NiYlw6TXFKP+i
VL7c+UUyAx+B2DE7PxlohUEGZcnlfgIraTIsY0PwDvFm1+b70SJDHhShGAHWBRto
527SQ4++tNVKVHauGzuQJDdpguPtZx+MqzFoVOKp0lgHKvFU367I3Rz57biXlvzg
VZ5pk/bBESYKP9ex4X5VFmlLKFSHnXR2Prck/GUNQvpx9m39RIUNp/yLN3tTYPhk
CVt7rRI53QlhFXg8IBFJQTikjtZU1TvkDjH5+BM4u7DtAgMBAAE=
-----END PUBLIC KEY-----
openssl verify -CAfile tailnumber-signing-root.crt -untrusted issuing.crt leaf.crt
/run/tailnumber/tmprsm7doyj/leaf.crt: OK
openssl pkeyutl -verify -pubin -inkey pub.pem -in digest.bin -sigfile sig.bin -pkeyopt digest:sha256 -pkeyopt rsa_padding_mode:pss -pkeyopt rsa_pss_saltlen:digest
Signature Verified Successfully
#222026-07-10T19:30:29Zrketchamsigntailnumber-codesign-01sha256Ebox1VnsHlBVr2nC…127.0.0.1ok

Reproducible offline with just OpenSSL + the envelope.

key=tailnumber-codesign-01 sig_alg=rsa3072-pkcs1-sha256 digest_alg=sha256

sha256(artifact) = 11ba31d559ec1e5055af69c282d690e9bc0313edc54b00b53c9f7b37436dac01

openssl x509 -in leaf.crt -pubkey -noout
-----BEGIN PUBLIC KEY-----
MIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAtN8pOen7dQz2HORMWNvl
PCdy7WuwXAfH+Iy825jooEswqYiuNACQSzn7ZYUicNAoZHdb/VfBQAq8xkhV4R0V
H0LP/zUkA+6477lR6MynrfP2rijzysc/e2xejSfNlGqPZ7yBp9vWEYwWPpzqrjm8
No/D7icDoqQChwrggRULxhCONNDRSNdNaNydoWGbQcRmFS9Sbj+Gp0cWraF+FM+i
SnU0SiS4J4OB/LzaJMuGtdIjKId2EOITH91hheBGDO1rY62PXT1NiYlw6TXFKP+i
VL7c+UUyAx+B2DE7PxlohUEGZcnlfgIraTIsY0PwDvFm1+b70SJDHhShGAHWBRto
527SQ4++tNVKVHauGzuQJDdpguPtZx+MqzFoVOKp0lgHKvFU367I3Rz57biXlvzg
VZ5pk/bBESYKP9ex4X5VFmlLKFSHnXR2Prck/GUNQvpx9m39RIUNp/yLN3tTYPhk
CVt7rRI53QlhFXg8IBFJQTikjtZU1TvkDjH5+BM4u7DtAgMBAAE=
-----END PUBLIC KEY-----
openssl verify -CAfile tailnumber-signing-root.crt -untrusted issuing.crt leaf.crt
/run/tailnumber/tmp5p2ub92o/leaf.crt: OK
openssl pkeyutl -verify -pubin -inkey pub.pem -in digest.bin -sigfile sig.bin -pkeyopt digest:sha256
Signature Verified Successfully
#212026-07-10T19:30:16Zrketchamsigntailnumber-codesign-01sha256dFQ1Auk/rUj6XxOC…127.0.0.1ok

Reproducible offline with just OpenSSL + the envelope.

key=tailnumber-codesign-01 sig_alg=rsa3072-pss-sha256 digest_alg=sha256

sha256(artifact) = 74543502e93fad48fa5f1382282a7f3ba09b79b36f360c357978f64fcac37ae4

openssl x509 -in leaf.crt -pubkey -noout
-----BEGIN PUBLIC KEY-----
MIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAtN8pOen7dQz2HORMWNvl
PCdy7WuwXAfH+Iy825jooEswqYiuNACQSzn7ZYUicNAoZHdb/VfBQAq8xkhV4R0V
H0LP/zUkA+6477lR6MynrfP2rijzysc/e2xejSfNlGqPZ7yBp9vWEYwWPpzqrjm8
No/D7icDoqQChwrggRULxhCONNDRSNdNaNydoWGbQcRmFS9Sbj+Gp0cWraF+FM+i
SnU0SiS4J4OB/LzaJMuGtdIjKId2EOITH91hheBGDO1rY62PXT1NiYlw6TXFKP+i
VL7c+UUyAx+B2DE7PxlohUEGZcnlfgIraTIsY0PwDvFm1+b70SJDHhShGAHWBRto
527SQ4++tNVKVHauGzuQJDdpguPtZx+MqzFoVOKp0lgHKvFU367I3Rz57biXlvzg
VZ5pk/bBESYKP9ex4X5VFmlLKFSHnXR2Prck/GUNQvpx9m39RIUNp/yLN3tTYPhk
CVt7rRI53QlhFXg8IBFJQTikjtZU1TvkDjH5+BM4u7DtAgMBAAE=
-----END PUBLIC KEY-----
openssl verify -CAfile tailnumber-signing-root.crt -untrusted issuing.crt leaf.crt
/run/tailnumber/tmpnoi1mza0/leaf.crt: OK
openssl pkeyutl -verify -pubin -inkey pub.pem -in digest.bin -sigfile sig.bin -pkeyopt digest:sha256 -pkeyopt rsa_padding_mode:pss -pkeyopt rsa_pss_saltlen:digest
Signature Verified Successfully
#202026-07-10T19:27:19Zrketchamsigntailnumber-codesign-01sha256LXEWQrcmsEQBYnyp…192.168.1.1ok

Reproducible offline with just OpenSSL + the envelope.

key=tailnumber-codesign-01 sig_alg=rsa3072-pss-sha256 digest_alg=sha256

sha256(artifact) = 2d711642b726b04401627ca9fbac32f5c8530fb1903cc4db02258717921a4881

openssl x509 -in leaf.crt -pubkey -noout
-----BEGIN PUBLIC KEY-----
MIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAtN8pOen7dQz2HORMWNvl
PCdy7WuwXAfH+Iy825jooEswqYiuNACQSzn7ZYUicNAoZHdb/VfBQAq8xkhV4R0V
H0LP/zUkA+6477lR6MynrfP2rijzysc/e2xejSfNlGqPZ7yBp9vWEYwWPpzqrjm8
No/D7icDoqQChwrggRULxhCONNDRSNdNaNydoWGbQcRmFS9Sbj+Gp0cWraF+FM+i
SnU0SiS4J4OB/LzaJMuGtdIjKId2EOITH91hheBGDO1rY62PXT1NiYlw6TXFKP+i
VL7c+UUyAx+B2DE7PxlohUEGZcnlfgIraTIsY0PwDvFm1+b70SJDHhShGAHWBRto
527SQ4++tNVKVHauGzuQJDdpguPtZx+MqzFoVOKp0lgHKvFU367I3Rz57biXlvzg
VZ5pk/bBESYKP9ex4X5VFmlLKFSHnXR2Prck/GUNQvpx9m39RIUNp/yLN3tTYPhk
CVt7rRI53QlhFXg8IBFJQTikjtZU1TvkDjH5+BM4u7DtAgMBAAE=
-----END PUBLIC KEY-----
openssl verify -CAfile tailnumber-signing-root.crt -untrusted issuing.crt leaf.crt
/run/tailnumber/tmpsxyuabfb/leaf.crt: OK
openssl pkeyutl -verify -pubin -inkey pub.pem -in digest.bin -sigfile sig.bin -pkeyopt digest:sha256 -pkeyopt rsa_padding_mode:pss -pkeyopt rsa_pss_saltlen:digest
Signature Verified Successfully
#192026-07-10T19:26:34Zrketchamsigntailnumber-codesign-01sha256+bFT9uyljY4/5/gW…192.168.1.1ok

Reproducible offline with just OpenSSL + the envelope.

key=tailnumber-codesign-01 sig_alg=rsa3072-pss-sha256 digest_alg=sha256

sha256(artifact) = f9b153f6eca58d8e3fe7f81641b122c508eeb0b0d21fdf2d10c62cf4c6a297e4

openssl x509 -in leaf.crt -pubkey -noout
-----BEGIN PUBLIC KEY-----
MIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAtN8pOen7dQz2HORMWNvl
PCdy7WuwXAfH+Iy825jooEswqYiuNACQSzn7ZYUicNAoZHdb/VfBQAq8xkhV4R0V
H0LP/zUkA+6477lR6MynrfP2rijzysc/e2xejSfNlGqPZ7yBp9vWEYwWPpzqrjm8
No/D7icDoqQChwrggRULxhCONNDRSNdNaNydoWGbQcRmFS9Sbj+Gp0cWraF+FM+i
SnU0SiS4J4OB/LzaJMuGtdIjKId2EOITH91hheBGDO1rY62PXT1NiYlw6TXFKP+i
VL7c+UUyAx+B2DE7PxlohUEGZcnlfgIraTIsY0PwDvFm1+b70SJDHhShGAHWBRto
527SQ4++tNVKVHauGzuQJDdpguPtZx+MqzFoVOKp0lgHKvFU367I3Rz57biXlvzg
VZ5pk/bBESYKP9ex4X5VFmlLKFSHnXR2Prck/GUNQvpx9m39RIUNp/yLN3tTYPhk
CVt7rRI53QlhFXg8IBFJQTikjtZU1TvkDjH5+BM4u7DtAgMBAAE=
-----END PUBLIC KEY-----
openssl verify -CAfile tailnumber-signing-root.crt -untrusted issuing.crt leaf.crt
/run/tailnumber/tmpl1pzbz02/leaf.crt: OK
openssl pkeyutl -verify -pubin -inkey pub.pem -in digest.bin -sigfile sig.bin -pkeyopt digest:sha256 -pkeyopt rsa_padding_mode:pss -pkeyopt rsa_pss_saltlen:digest
Signature Verified Successfully
#182026-07-10T19:26:34Zrketchamsigntailnumber-codesign-01sha256+bFT9uyljY4/5/gW…192.168.1.1ok

Reproducible offline with just OpenSSL + the envelope.

key=tailnumber-codesign-01 sig_alg=rsa3072-pss-sha256 digest_alg=sha256

sha256(artifact) = f9b153f6eca58d8e3fe7f81641b122c508eeb0b0d21fdf2d10c62cf4c6a297e4

openssl x509 -in leaf.crt -pubkey -noout
-----BEGIN PUBLIC KEY-----
MIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAtN8pOen7dQz2HORMWNvl
PCdy7WuwXAfH+Iy825jooEswqYiuNACQSzn7ZYUicNAoZHdb/VfBQAq8xkhV4R0V
H0LP/zUkA+6477lR6MynrfP2rijzysc/e2xejSfNlGqPZ7yBp9vWEYwWPpzqrjm8
No/D7icDoqQChwrggRULxhCONNDRSNdNaNydoWGbQcRmFS9Sbj+Gp0cWraF+FM+i
SnU0SiS4J4OB/LzaJMuGtdIjKId2EOITH91hheBGDO1rY62PXT1NiYlw6TXFKP+i
VL7c+UUyAx+B2DE7PxlohUEGZcnlfgIraTIsY0PwDvFm1+b70SJDHhShGAHWBRto
527SQ4++tNVKVHauGzuQJDdpguPtZx+MqzFoVOKp0lgHKvFU367I3Rz57biXlvzg
VZ5pk/bBESYKP9ex4X5VFmlLKFSHnXR2Prck/GUNQvpx9m39RIUNp/yLN3tTYPhk
CVt7rRI53QlhFXg8IBFJQTikjtZU1TvkDjH5+BM4u7DtAgMBAAE=
-----END PUBLIC KEY-----
openssl verify -CAfile tailnumber-signing-root.crt -untrusted issuing.crt leaf.crt
/run/tailnumber/tmpcrcom0cw/leaf.crt: OK
openssl pkeyutl -verify -pubin -inkey pub.pem -in digest.bin -sigfile sig.bin -pkeyopt digest:sha256 -pkeyopt rsa_padding_mode:pss -pkeyopt rsa_pss_saltlen:digest
Signature Verified Successfully
#172026-07-10T19:26:34Zrketchamverifytailnumber-codesign-01sha256192.168.1.1ok
{
  "action": "verify",
  "actor": "rketcham",
  "client_ip": "192.168.1.1",
  "dev_mode": true,
  "digest_alg": "sha256",
  "key": "tailnumber-codesign-01",
  "result": "ok",
  "seq": 17,
  "ts": "2026-07-10T19:26:34Z"
}
#162026-07-10T19:26:34Zrketchamverifytailnumber-codesign-01sha256192.168.1.1ok
{
  "action": "verify",
  "actor": "rketcham",
  "client_ip": "192.168.1.1",
  "dev_mode": true,
  "digest_alg": "sha256",
  "key": "tailnumber-codesign-01",
  "result": "ok",
  "seq": 16,
  "ts": "2026-07-10T19:26:34Z"
}
#152026-07-10T19:26:34Zrketchamverifytailnumber-codesign-01sha256192.168.1.1ok
{
  "action": "verify",
  "actor": "rketcham",
  "client_ip": "192.168.1.1",
  "dev_mode": true,
  "digest_alg": "sha256",
  "key": "tailnumber-codesign-01",
  "profile": "digest-as-message",
  "result": "ok",
  "seq": 15,
  "ts": "2026-07-10T19:26:34Z"
}
#142026-07-10T19:26:33Zrketchamsigntailnumber-codesign-01sha256+bFT9uyljY4/5/gW…192.168.1.1ok

Reproducible offline with just OpenSSL + the envelope.

key=tailnumber-codesign-01 sig_alg=rsa3072-pss-sha256 digest_alg=sha256

sha256(artifact) = f9b153f6eca58d8e3fe7f81641b122c508eeb0b0d21fdf2d10c62cf4c6a297e4

openssl x509 -in leaf.crt -pubkey -noout
-----BEGIN PUBLIC KEY-----
MIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAtN8pOen7dQz2HORMWNvl
PCdy7WuwXAfH+Iy825jooEswqYiuNACQSzn7ZYUicNAoZHdb/VfBQAq8xkhV4R0V
H0LP/zUkA+6477lR6MynrfP2rijzysc/e2xejSfNlGqPZ7yBp9vWEYwWPpzqrjm8
No/D7icDoqQChwrggRULxhCONNDRSNdNaNydoWGbQcRmFS9Sbj+Gp0cWraF+FM+i
SnU0SiS4J4OB/LzaJMuGtdIjKId2EOITH91hheBGDO1rY62PXT1NiYlw6TXFKP+i
VL7c+UUyAx+B2DE7PxlohUEGZcnlfgIraTIsY0PwDvFm1+b70SJDHhShGAHWBRto
527SQ4++tNVKVHauGzuQJDdpguPtZx+MqzFoVOKp0lgHKvFU367I3Rz57biXlvzg
VZ5pk/bBESYKP9ex4X5VFmlLKFSHnXR2Prck/GUNQvpx9m39RIUNp/yLN3tTYPhk
CVt7rRI53QlhFXg8IBFJQTikjtZU1TvkDjH5+BM4u7DtAgMBAAE=
-----END PUBLIC KEY-----
openssl verify -CAfile tailnumber-signing-root.crt -untrusted issuing.crt leaf.crt
/run/tailnumber/tmp8oxtwzee/leaf.crt: OK
openssl pkeyutl -verify -pubin -inkey pub.pem -in digest.bin -sigfile sig.bin -pkeyopt digest:sha256 -pkeyopt rsa_padding_mode:pss -pkeyopt rsa_pss_saltlen:digest
Signature Verified Successfully
#132026-07-10T19:26:32Zrketchamsigntailnumber-codesign-01sha256+bFT9uyljY4/5/gW…192.168.1.1ok

Reproducible offline with just OpenSSL + the envelope.

key=tailnumber-codesign-01 sig_alg=rsa3072-pss-sha256 digest_alg=sha256

sha256(artifact) = f9b153f6eca58d8e3fe7f81641b122c508eeb0b0d21fdf2d10c62cf4c6a297e4

openssl x509 -in leaf.crt -pubkey -noout
-----BEGIN PUBLIC KEY-----
MIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAtN8pOen7dQz2HORMWNvl
PCdy7WuwXAfH+Iy825jooEswqYiuNACQSzn7ZYUicNAoZHdb/VfBQAq8xkhV4R0V
H0LP/zUkA+6477lR6MynrfP2rijzysc/e2xejSfNlGqPZ7yBp9vWEYwWPpzqrjm8
No/D7icDoqQChwrggRULxhCONNDRSNdNaNydoWGbQcRmFS9Sbj+Gp0cWraF+FM+i
SnU0SiS4J4OB/LzaJMuGtdIjKId2EOITH91hheBGDO1rY62PXT1NiYlw6TXFKP+i
VL7c+UUyAx+B2DE7PxlohUEGZcnlfgIraTIsY0PwDvFm1+b70SJDHhShGAHWBRto
527SQ4++tNVKVHauGzuQJDdpguPtZx+MqzFoVOKp0lgHKvFU367I3Rz57biXlvzg
VZ5pk/bBESYKP9ex4X5VFmlLKFSHnXR2Prck/GUNQvpx9m39RIUNp/yLN3tTYPhk
CVt7rRI53QlhFXg8IBFJQTikjtZU1TvkDjH5+BM4u7DtAgMBAAE=
-----END PUBLIC KEY-----
openssl verify -CAfile tailnumber-signing-root.crt -untrusted issuing.crt leaf.crt
/run/tailnumber/tmpf_yfq9nc/leaf.crt: OK
openssl pkeyutl -verify -pubin -inkey pub.pem -in digest.bin -sigfile sig.bin -pkeyopt digest:sha256 -pkeyopt rsa_padding_mode:pss -pkeyopt rsa_pss_saltlen:digest
Signature Verified Successfully
#122026-07-10T18:06:30Zrketchamsigntailnumber-codesign-01sha256gliwkMD5xj+msepO…50.19.209.220ok

Reproducible offline with just OpenSSL + the envelope.

key=tailnumber-codesign-01 sig_alg=rsa3072-pss-sha256 digest_alg=sha256

sha256(artifact) = 8258b090c0f9c63fa6b1ea4e40d5c9c3fb313362cd5b6bbfa4dd7e5e11dcb19c

openssl x509 -in leaf.crt -pubkey -noout
-----BEGIN PUBLIC KEY-----
MIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAtN8pOen7dQz2HORMWNvl
PCdy7WuwXAfH+Iy825jooEswqYiuNACQSzn7ZYUicNAoZHdb/VfBQAq8xkhV4R0V
H0LP/zUkA+6477lR6MynrfP2rijzysc/e2xejSfNlGqPZ7yBp9vWEYwWPpzqrjm8
No/D7icDoqQChwrggRULxhCONNDRSNdNaNydoWGbQcRmFS9Sbj+Gp0cWraF+FM+i
SnU0SiS4J4OB/LzaJMuGtdIjKId2EOITH91hheBGDO1rY62PXT1NiYlw6TXFKP+i
VL7c+UUyAx+B2DE7PxlohUEGZcnlfgIraTIsY0PwDvFm1+b70SJDHhShGAHWBRto
527SQ4++tNVKVHauGzuQJDdpguPtZx+MqzFoVOKp0lgHKvFU367I3Rz57biXlvzg
VZ5pk/bBESYKP9ex4X5VFmlLKFSHnXR2Prck/GUNQvpx9m39RIUNp/yLN3tTYPhk
CVt7rRI53QlhFXg8IBFJQTikjtZU1TvkDjH5+BM4u7DtAgMBAAE=
-----END PUBLIC KEY-----
openssl verify -CAfile tailnumber-signing-root.crt -untrusted issuing.crt leaf.crt
/run/tailnumber/tmpubekomnm/leaf.crt: OK
openssl pkeyutl -verify -pubin -inkey pub.pem -in digest.bin -sigfile sig.bin -pkeyopt digest:sha256 -pkeyopt rsa_padding_mode:pss -pkeyopt rsa_pss_saltlen:digest
Signature Verified Successfully
#112026-07-10T17:56:54Zrketchamsigntailnumber-legacy-rsa-01sha25650.19.209.220error
{
  "action": "sign",
  "actor": "rketcham",
  "client_ip": "50.19.209.220",
  "dev_mode": true,
  "digest_alg": "sha256",
  "error": "unknown key label: tailnumber-legacy-rsa-01",
  "key": "tailnumber-legacy-rsa-01",
  "result": "error",
  "seq": 11,
  "ts": "2026-07-10T17:56:54Z"
}
#102026-07-10T17:28:02Zrketchamverifytailnumber-codesign-01sha256127.0.0.1ok
{
  "action": "verify",
  "actor": "rketcham",
  "client_ip": "127.0.0.1",
  "dev_mode": true,
  "digest_alg": "sha256",
  "key": "tailnumber-codesign-01",
  "profile": "digest-as-message",
  "result": "ok",
  "seq": 10,
  "ts": "2026-07-10T17:28:02Z"
}
#92026-07-10T17:28:02Zrketchamsigntailnumber-codesign-01sha2568FPsKtEQ7FIYPZrs…127.0.0.1ok

Reproducible offline with just OpenSSL + the envelope.

key=tailnumber-codesign-01 sig_alg=rsa3072-pss-sha256 digest_alg=sha256

sha256(artifact) = f053ec2ad110ec52183d9aec3c3c95620760eb409cc9acdad576e5c59aef3188

openssl x509 -in leaf.crt -pubkey -noout
-----BEGIN PUBLIC KEY-----
MIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAtN8pOen7dQz2HORMWNvl
PCdy7WuwXAfH+Iy825jooEswqYiuNACQSzn7ZYUicNAoZHdb/VfBQAq8xkhV4R0V
H0LP/zUkA+6477lR6MynrfP2rijzysc/e2xejSfNlGqPZ7yBp9vWEYwWPpzqrjm8
No/D7icDoqQChwrggRULxhCONNDRSNdNaNydoWGbQcRmFS9Sbj+Gp0cWraF+FM+i
SnU0SiS4J4OB/LzaJMuGtdIjKId2EOITH91hheBGDO1rY62PXT1NiYlw6TXFKP+i
VL7c+UUyAx+B2DE7PxlohUEGZcnlfgIraTIsY0PwDvFm1+b70SJDHhShGAHWBRto
527SQ4++tNVKVHauGzuQJDdpguPtZx+MqzFoVOKp0lgHKvFU367I3Rz57biXlvzg
VZ5pk/bBESYKP9ex4X5VFmlLKFSHnXR2Prck/GUNQvpx9m39RIUNp/yLN3tTYPhk
CVt7rRI53QlhFXg8IBFJQTikjtZU1TvkDjH5+BM4u7DtAgMBAAE=
-----END PUBLIC KEY-----
openssl verify -CAfile tailnumber-signing-root.crt -untrusted issuing.crt leaf.crt
/run/tailnumber/tmp3c2y75un/leaf.crt: OK
openssl pkeyutl -verify -pubin -inkey pub.pem -in digest.bin -sigfile sig.bin -pkeyopt digest:sha256 -pkeyopt rsa_padding_mode:pss -pkeyopt rsa_pss_saltlen:digest
Signature Verified Successfully
#82026-07-10T17:26:18Zrketchamverifytailnumber-codesign-01sha256127.0.0.1ok
{
  "action": "verify",
  "actor": "rketcham",
  "client_ip": "127.0.0.1",
  "dev_mode": true,
  "digest_alg": "sha256",
  "key": "tailnumber-codesign-01",
  "result": "ok",
  "seq": 8,
  "ts": "2026-07-10T17:26:18Z"
}
#72026-07-10T17:26:18Zrketchamsigntailnumber-codesign-01sha2569CkIQPINmF8aVpYi…127.0.0.1ok

Reproducible offline with just OpenSSL + the envelope.

key=tailnumber-codesign-01 sig_alg=rsa3072-pss-sha256 digest_alg=sha256

sha256(artifact) = f4290840f20d985f1a569622ee49d961092341cf55cc3537211756b9fac9f810

openssl x509 -in leaf.crt -pubkey -noout
-----BEGIN PUBLIC KEY-----
MIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAtN8pOen7dQz2HORMWNvl
PCdy7WuwXAfH+Iy825jooEswqYiuNACQSzn7ZYUicNAoZHdb/VfBQAq8xkhV4R0V
H0LP/zUkA+6477lR6MynrfP2rijzysc/e2xejSfNlGqPZ7yBp9vWEYwWPpzqrjm8
No/D7icDoqQChwrggRULxhCONNDRSNdNaNydoWGbQcRmFS9Sbj+Gp0cWraF+FM+i
SnU0SiS4J4OB/LzaJMuGtdIjKId2EOITH91hheBGDO1rY62PXT1NiYlw6TXFKP+i
VL7c+UUyAx+B2DE7PxlohUEGZcnlfgIraTIsY0PwDvFm1+b70SJDHhShGAHWBRto
527SQ4++tNVKVHauGzuQJDdpguPtZx+MqzFoVOKp0lgHKvFU367I3Rz57biXlvzg
VZ5pk/bBESYKP9ex4X5VFmlLKFSHnXR2Prck/GUNQvpx9m39RIUNp/yLN3tTYPhk
CVt7rRI53QlhFXg8IBFJQTikjtZU1TvkDjH5+BM4u7DtAgMBAAE=
-----END PUBLIC KEY-----
openssl verify -CAfile tailnumber-signing-root.crt -untrusted issuing.crt leaf.crt
/run/tailnumber/tmp7leueq_u/leaf.crt: OK
openssl pkeyutl -verify -pubin -inkey pub.pem -in digest.bin -sigfile sig.bin -pkeyopt digest:sha256 -pkeyopt rsa_padding_mode:pss -pkeyopt rsa_pss_saltlen:digest
Signature Verified Successfully
#62026-07-10T17:26:17Zhsm-finishcreate-keytailnumber-codesign-01ok
{
  "action": "create-key",
  "actor": "hsm-finish",
  "key": "tailnumber-codesign-01",
  "provenance": {
    "created_at": "2026-07-10T17:26:17Z",
    "created_by": "hsm-finish",
    "created_via": "tailnumber-keygen (local CLI)",
    "reason": "SoftHSM cutover",
    "usage": "code signing"
  },
  "result": "ok",
  "seq": 6,
  "ts": "2026-07-10T17:26:17Z",
  "via": "tailnumber-keygen (local CLI)"
}
#52026-07-10T17:26:17Zrketchamca-setup127.0.0.1ok

HSM CA in token 'tailnumber' via /usr/lib/softhsm/libsofthsm2.so

root key generated in HSM (label tn-root)

issuing key generated in HSM (label tn-issuing)

root + issuing certs issued (CA keys never leave the HSM)

key issuance (openssl)

openssl req -new -x509 -engine pkcs11 -keyform engine -key pkcs11:token=tailnumber;object=tn-root;type=private;pin-value=1553b211b35e -subj /DC=com/DC=rayketcham/O=CAs/OU=RootCA/CN=Example Root CA -days 20089 -addext basicConstraints=critical,CA:TRUE,pathlen:1 -addext keyUsage=critical,keyCertSign,cRLSign -addext subjectKeyIdentifier=hash -out /etc/tailnumber/keys/_ca/tailnumber-signing-root.crt
Engine "pkcs11" set.
openssl req -new -engine pkcs11 -keyform engine -key pkcs11:token=tailnumber;object=tn-issuing;type=private;pin-value=1553b211b35e -subj /DC=com/DC=rayketcham/O=CAs/OU=CodeSigningCA/CN=Example Code Signing Issuing CA -out /run/tailnumber/tmplnbqk6cl.csr
Engine "pkcs11" set.
openssl x509 -req -in /run/tailnumber/tmplnbqk6cl.csr -CA /etc/tailnumber/keys/_ca/tailnumber-signing-root.crt -CAkey pkcs11:token=tailnumber;object=tn-root;type=private;pin-value=1553b211b35e -CAkeyform engine -engine pkcs11 -set_serial 0xea040bb10da3f7bb78350cf024edd85e -days 19724 -extfile /run/tailnumber/tmpcc6inc_y.ext -out /etc/tailnumber/keys/_ca/tailnumber-signing-issuing.crt
Engine "pkcs11" set.
Certificate request self-signature ok
subject=DC = com, DC = rayketcham, O = CAs, OU = CodeSigningCA, CN = Example Code Signing Issuing CA
#42026-07-10T17:12:20Zrketchamca-setup127.0.0.1error
{
  "action": "ca-setup",
  "actor": "rketcham",
  "client_ip": "127.0.0.1",
  "dev_mode": true,
  "error": "error: PKCS11 function C_GenerateKeyPair failed: rv = CKR_GENERAL_ERROR (0x5)\nAborting.",
  "result": "error",
  "seq": 4,
  "ts": "2026-07-10T17:12:20Z"
}
#32026-07-10T16:42:51Zrketchamca-setup127.0.0.1error
{
  "action": "ca-setup",
  "actor": "rketcham",
  "client_ip": "127.0.0.1",
  "dev_mode": true,
  "error": "error: PKCS11 function C_GenerateKeyPair failed: rv = CKR_GENERAL_ERROR (0x5)\nAborting.",
  "result": "error",
  "seq": 3,
  "ts": "2026-07-10T16:42:51Z"
}
#22026-07-10T16:39:59Zrketchamsigntailnumber-codesign-01sha256127.0.0.1error
{
  "action": "sign",
  "actor": "rketcham",
  "client_ip": "127.0.0.1",
  "dev_mode": true,
  "digest_alg": "sha256",
  "error": "unknown key label: tailnumber-codesign-01",
  "key": "tailnumber-codesign-01",
  "result": "error",
  "seq": 2,
  "ts": "2026-07-10T16:39:59Z"
}
#12026-07-10T16:39:59Zrketchamca-setup127.0.0.1error
{
  "action": "ca-setup",
  "actor": "rketcham",
  "client_ip": "127.0.0.1",
  "dev_mode": true,
  "error": "error: PKCS11 function C_GenerateKeyPair failed: rv = CKR_GENERAL_ERROR (0x5)\nAborting.",
  "result": "error",
  "seq": 1,
  "ts": "2026-07-10T16:39:59Z"
}

Every sign row expands to the full captured OpenSSL commands + output. API: /api/v1/audit, /audit/stats, /audit/search, /audit/export.