group: tailnumber-admins
Sign (compose the algorithm)
Pick a key, then compose the signature: RSA exposes padding, digest, and PSS salt; ECDSA exposes the digest; ML-DSA is parameter-free. The live signing profile shows exactly what will be produced.
Do it yourself — OpenSSL sign & verify (offline)
Uses the files from this key’s Bundle .zip (private/, certs/, ca/). The commands follow the composed options above.
Hybrid signing (classical + post-quantum)
Signs the same digest with a classical and a post-quantum key. The envelope stays valid as long as either algorithm holds, and verifies only if both do — the recommended posture during the PQC transition.
Needs at least one classical key (RSA / ECDSA) and one post-quantum key (ML-DSA). Create both (Keys → Create a new key), then reload.
Verify an envelope
Confirms the signature is valid for the stored key. Add the original file and it also confirms the file still hashes to the signed digest — i.e. this envelope belongs to that file and nothing changed. The file is hashed in your browser and never uploaded. Hybrid envelopes (two components) are detected automatically.
Keys (click a key for details)
Each key is a signer identity — a keypair whose certificate is issued by the TailNumber CA. Click a key to expand its details, copy its label or SPKI, download a Bundle .zip, or delete it.
tailnumber-codesign-01rsa3072rsa3072-pss-sha256, rsa3072-pkcs1-sha256expires Jul 10 17:26:17 2076 GMT
| label | tailnumber-codesign-01 |
|---|---|
| subject | DC = com, DC = rayketcham, OU = CodeSigning, CN = tailnumber-codesign-01 |
| key type | rsa3072 |
| sig alg(s) | rsa3072-pss-sha256, rsa3072-pkcs1-sha256 |
| SPKI sha256 | 2a6ceb31e4d4d2c370d6c1c66598c5fd0cfb35aa71deacf4256df3c0b8b3afc4 |
| valid from | Jul 10 17:26:17 2026 GMT |
| valid until | Jul 10 17:26:17 2076 GMT |
| Provenance & governance | |
| usage / purpose | code signing |
| created by | hsm-finish |
| created | 2026-07-10T17:26:17Z |
| reason / purpose | SoftHSM cutover |
| created via | tailnumber-keygen (local CLI) |
Each key’s Bundle .zip has the cert in every format (PEM/DER/P7B), the public key, the PFX + private key, the CA trust anchor, and a verify.sh. PFX/key import password (UN/PW): ke+yJEcW2fQ8Zb+6DSx8vTqWFjh6wJBj · alias = the key label.
Create a new key — local CLI only
Key creation is not exposed over the API by design — it touches the CA private key, so it is an on-box admin operation. Run tailnumber-keygen as the service user; it records who / why / PMA approval as provenance shown with the key:
sudo -u tailnumber \
TAILNUMBER_CONFIG=/etc/tailnumber/config.toml \
LD_LIBRARY_PATH=/opt/openssl-3.5/lib64 PFXPASS="$(cat /etc/tailnumber/pfxpass)" \
/opt/tailnumber/tools/tailnumber-keygen --label fw-signer-01 --alg ml-dsa-65 \
--created-by "$(whoami)" --reason "Platform-42 firmware signing" \
--approved-by "QA / Airworthiness" --pma PMA-2026-0142 \
--approval-date 2026-07-09 --program SPEC42 --dal B --environment productionsig_alg options: rsa3072-pss-sha256 · rsa3072-pkcs1-sha256 · rsa4096-pss-sha384 · rsa4096-pkcs1-sha384 · ecdsa-p384-sha384 · ml-dsa-65 · ml-dsa-87
Signing CA (trust anchor)
Two-tier X.509 hierarchy: an offline-style Root CA anchors trust and an Issuing CA signs the leaf signer certificates. Every signature is trusted by chaining its certificate to this root — a forged self-signed cert with the same name fails the chain. Validity is sized to the platform lifetime (Root 55y · Issuing 54y · Signer 50y). Click a CA for its key type, serial, full DN, and fingerprint.
Root CAExample Root CAEC P-384 (ECDSA)expires Jul 10 17:26:17 2081 GMT
| role | Root CA |
|---|---|
| common name | Example Root CA |
| subject DN | DC=com, DC=rayketcham, O=CAs, OU=RootCA, CN=Example Root CA |
| key | EC P-384 (ECDSA) |
| serial | 0905EBE683D4AE47FD98B46FCA915DF6EA0092B0 |
| valid from | Jul 10 17:26:17 2026 GMT |
| valid until | Jul 10 17:26:17 2081 GMT |
| SHA-256 fingerprint | D8:14:4C:EA:81:07:81:E8:1E:46:84:29:1A:98:3B:1C:55:00:06:09:52:12:9A:39:A6:8E:98:D6:36:CA:4B:30 |
Issuing CAExample Code Signing Issuing CAEC P-384 (ECDSA)expires Jul 10 17:26:17 2080 GMT
| role | Issuing CA |
|---|---|
| common name | Example Code Signing Issuing CA |
| subject DN | DC=com, DC=rayketcham, O=CAs, OU=CodeSigningCA, CN=Example Code Signing Issuing CA |
| key | EC P-384 (ECDSA) |
| serial | EA040BB10DA3F7BB78350CF024EDD85E |
| valid from | Jul 10 17:26:17 2026 GMT |
| valid until | Jul 10 17:26:17 2080 GMT |
| SHA-256 fingerprint | B1:27:C6:FD:24:3F:32:82:86:EE:3A:68:28:B8:99:DF:ED:B1:5E:49:29:79:4B:11:4A:0A:AE:A6:8F:DC:64:9C |
OpenSSL output — captured when the CA was created
TailNumber signing CA — OpenSSL output captured at creation
captured: 2026-07-10T17:26:17Z
dir: /etc/tailnumber/keys/_ca
generation (gen-signing-ca.sh)
HSM CA in token 'tailnumber' via /usr/lib/softhsm/libsofthsm2.so
root key generated in HSM (label tn-root)
issuing key generated in HSM (label tn-issuing)
root + issuing certs issued (CA keys never leave the HSM)
Root CA (openssl x509 -text)
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
09:05:eb:e6:83:d4:ae:47:fd:98:b4:6f:ca:91:5d:f6:ea:00:92:b0
Signature Algorithm: ecdsa-with-SHA256
Issuer: DC=com, DC=rayketcham, O=CAs, OU=RootCA, CN=Example Root CA
Validity
Not Before: Jul 10 17:26:17 2026 GMT
Not After : Jul 10 17:26:17 2081 GMT
Subject: DC=com, DC=rayketcham, O=CAs, OU=RootCA, CN=Example Root CA
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (384 bit)
pub:
04:26:3b:18:0d:50:05:6e:a5:87:c4:83:e6:c0:b5:
9a:10:4c:16:90:27:14:1d:c9:22:63:95:69:96:c9:
ee:8b:3f:58:8b:03:74:78:91:6f:9c:c1:9b:55:a9:
2a:66:e9:93:8e:b0:17:26:e0:76:74:89:9f:7e:18:
65:4b:9b:1d:53:21:e9:e8:13:61:ab:f7:df:73:b4:
da:6c:d7:fa:86:f4:e3:0a:98:32:da:54:e6:93:43:
dd:d5:ed:fe:18:7b:5c
ASN1 OID: secp384r1
NIST CURVE: P-384
X509v3 extensions:
X509v3 Authority Key Identifier:
A7:D1:29:5E:F5:FA:5C:74:95:60:06:94:6E:3B:08:5A:E1:A1:73:44
X509v3 Basic Constraints: critical
CA:TRUE, pathlen:1
X509v3 Key Usage: critical
Certificate Sign, CRL Sign
X509v3 Subject Key Identifier:
A7:D1:29:5E:F5:FA:5C:74:95:60:06:94:6E:3B:08:5A:E1:A1:73:44
Signature Algorithm: ecdsa-with-SHA256
Signature Value:
30:64:02:30:5a:9a:67:bf:15:c0:b7:79:b3:c1:26:71:fe:64:
0a:51:42:d5:57:ce:e9:f4:bd:36:53:96:9d:34:d0:b4:40:89:
10:36:9d:9d:0e:ab:3a:79:34:e9:6b:94:8b:75:35:be:02:30:
14:03:7e:36:0a:de:bd:50:e9:94:13:28:5b:56:fd:49:d5:fe:
53:96:15:e7:16:c6:80:47:07:8a:23:bb:7a:ef:1e:4c:82:cd:
39:05:9c:8a:69:75:c1:0c:f1:df:6c:cd
sha256 Fingerprint=D8:14:4C:EA:81:07:81:E8:1E:46:84:29:1A:98:3B:1C:55:00:06:09:52:12:9A:39:A6:8E:98:D6:36:CA:4B:30Issuing CA (openssl x509 -text)
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
ea:04:0b:b1:0d:a3:f7:bb:78:35:0c:f0:24:ed:d8:5e
Signature Algorithm: ecdsa-with-SHA256
Issuer: DC=com, DC=rayketcham, O=CAs, OU=RootCA, CN=Example Root CA
Validity
Not Before: Jul 10 17:26:17 2026 GMT
Not After : Jul 10 17:26:17 2080 GMT
Subject: DC=com, DC=rayketcham, O=CAs, OU=CodeSigningCA, CN=Example Code Signing Issuing CA
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (384 bit)
pub:
04:e7:75:d1:17:db:dd:89:e2:a8:86:8e:b7:30:7f:
2c:29:9d:3d:bd:4e:37:7c:66:67:e8:93:4d:f7:0f:
66:2b:19:5e:61:6f:f2:10:85:8d:34:43:e6:70:50:
83:71:a5:ed:6f:88:28:6f:a7:b0:4a:9a:ce:06:da:
9d:38:55:a0:45:e1:d3:71:fe:16:df:5e:b2:e6:64:
27:eb:d5:62:63:58:62:0b:0c:86:c2:23:e5:cb:74:
f7:04:2e:07:b9:1c:98
ASN1 OID: secp384r1
NIST CURVE: P-384
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:TRUE, pathlen:0
X509v3 Key Usage: critical
Certificate Sign, CRL Sign
X509v3 Extended Key Usage:
Code Signing
X509v3 Subject Key Identifier:
E7:50:8F:B9:B1:59:96:68:84:13:85:13:3D:35:F8:C4:9D:D6:FB:69
X509v3 Authority Key Identifier:
A7:D1:29:5E:F5:FA:5C:74:95:60:06:94:6E:3B:08:5A:E1:A1:73:44
Signature Algorithm: ecdsa-with-SHA256
Signature Value:
30:65:02:31:00:c6:4b:8e:78:35:cc:64:a2:ff:c2:4e:c8:2d:
58:92:55:5e:ce:e3:03:11:97:86:60:f8:05:66:be:ae:c1:77:
ba:93:65:56:f6:e8:2c:c2:df:9b:7e:36:3f:81:28:fb:d6:02:
30:47:37:7b:78:03:a9:28:b6:09:d0:78:34:f9:53:db:ae:1c:
fc:9d:c5:22:23:b4:21:2f:a8:65:99:cc:1c:7b:e9:0f:6c:6f:
cb:90:fe:4f:7f:ab:3d:99:a4:34:28:a3:0b
sha256 Fingerprint=B1:27:C6:FD:24:3F:32:82:86:EE:3A:68:28:B8:99:DF:ED:B1:5E:49:29:79:4B:11:4A:0A:AE:A6:8F:DC:64:9CRoot certificate (PEM) — publish to verifiers
-----BEGIN CERTIFICATE----- MIICejCCAgGgAwIBAgIUCQXr5oPUrkf9mLRvypFd9uoAkrAwCgYIKoZIzj0EAwIw ajETMBEGCgmSJomT8ixkARkWA2NvbTEaMBgGCgmSJomT8ixkARkWCnJheWtldGNo YW0xDDAKBgNVBAoMA0NBczEPMA0GA1UECwwGUm9vdENBMRgwFgYDVQQDDA9FeGFt cGxlIFJvb3QgQ0EwIBcNMjYwNzEwMTcyNjE3WhgPMjA4MTA3MTAxNzI2MTdaMGox EzARBgoJkiaJk/IsZAEZFgNjb20xGjAYBgoJkiaJk/IsZAEZFgpyYXlrZXRjaGFt MQwwCgYDVQQKDANDQXMxDzANBgNVBAsMBlJvb3RDQTEYMBYGA1UEAwwPRXhhbXBs ZSBSb290IENBMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEJjsYDVAFbqWHxIPmwLWa EEwWkCcUHckiY5Vplsnuiz9YiwN0eJFvnMGbVakqZumTjrAXJuB2dImffhhlS5sd UyHp6BNhq/ffc7TabNf6hvTjCpgy2lTmk0Pd1e3+GHtco2YwZDAfBgNVHSMEGDAW gBSn0Sle9fpcdJVgBpRuOwha4aFzRDASBgNVHRMBAf8ECDAGAQH/AgEBMA4GA1Ud DwEB/wQEAwIBBjAdBgNVHQ4EFgQUp9EpXvX6XHSVYAaUbjsIWuGhc0QwCgYIKoZI zj0EAwIDZwAwZAIwWppnvxXAt3mzwSZx/mQKUULVV87p9L02U5adNNC0QIkQNp2d Dqs6eTTpa5SLdTW+AjAUA342Ct69UOmUEyhbVv1J1f5TlhXnFsaARweKI7t67x5M gs05BZyKaXXBDPHfbM0= -----END CERTIFICATE-----
API: status /CRLs/tailnumber/api/v1/ca · anchor /CRLs/tailnumber/api/v1/ca/root
Usage metrics (from the audit log)
Operations per hour · last 24h
Operations per day · last 14d
By action
By digest algorithm
Generated 2026-07-11T23:43:46Z from 41 recent records · API: /api/v1/metrics.
Audit log (hash-chained)
✓ chain verified — 41 records
showing 41 · signs 22 · verifies 12 · create-key 1 · ca-setup 4 · top keys: tailnumber-codesign-01×21, tailnumber-legacy-rsa-01×1
Show 41 records
#412026-07-11T21:14:14Zrketchamverifytailnumber-codesign-01sha256192.168.1.1invalid
{
"action": "verify",
"actor": "rketcham",
"client_ip": "192.168.1.1",
"dev_mode": true,
"digest_alg": "sha256",
"key": "tailnumber-codesign-01",
"result": "invalid",
"seq": 41,
"ts": "2026-07-11T21:14:14Z"
}#402026-07-11T21:14:03Zrketchamverifytailnumber-codesign-01sha256192.168.1.1ok
{
"action": "verify",
"actor": "rketcham",
"client_ip": "192.168.1.1",
"dev_mode": true,
"digest_alg": "sha256",
"key": "tailnumber-codesign-01",
"result": "ok",
"seq": 40,
"ts": "2026-07-11T21:14:03Z"
}#392026-07-11T21:14:02Zrketchamsigntailnumber-codesign-01sha256WJG1tSLV3whtD/Cx…192.168.1.1ok
Reproducible offline with just OpenSSL + the envelope.
key=tailnumber-codesign-01 sig_alg=rsa3072-pss-sha256 digest_alg=sha256
sha256(artifact) = 5891b5b522d5df086d0ff0b110fbd9d21bb4fc7163af34d08286a2e846f6be03
openssl x509 -in leaf.crt -pubkey -noout
-----BEGIN PUBLIC KEY----- MIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAtN8pOen7dQz2HORMWNvl PCdy7WuwXAfH+Iy825jooEswqYiuNACQSzn7ZYUicNAoZHdb/VfBQAq8xkhV4R0V H0LP/zUkA+6477lR6MynrfP2rijzysc/e2xejSfNlGqPZ7yBp9vWEYwWPpzqrjm8 No/D7icDoqQChwrggRULxhCONNDRSNdNaNydoWGbQcRmFS9Sbj+Gp0cWraF+FM+i SnU0SiS4J4OB/LzaJMuGtdIjKId2EOITH91hheBGDO1rY62PXT1NiYlw6TXFKP+i VL7c+UUyAx+B2DE7PxlohUEGZcnlfgIraTIsY0PwDvFm1+b70SJDHhShGAHWBRto 527SQ4++tNVKVHauGzuQJDdpguPtZx+MqzFoVOKp0lgHKvFU367I3Rz57biXlvzg VZ5pk/bBESYKP9ex4X5VFmlLKFSHnXR2Prck/GUNQvpx9m39RIUNp/yLN3tTYPhk CVt7rRI53QlhFXg8IBFJQTikjtZU1TvkDjH5+BM4u7DtAgMBAAE= -----END PUBLIC KEY-----
openssl verify -CAfile tailnumber-signing-root.crt -untrusted issuing.crt leaf.crt
/run/tailnumber/tmpfiw9htck/leaf.crt: OK
openssl pkeyutl -verify -pubin -inkey pub.pem -in digest.bin -sigfile sig.bin -pkeyopt digest:sha256 -pkeyopt rsa_padding_mode:pss -pkeyopt rsa_pss_saltlen:digest
Signature Verified Successfully
#382026-07-10T19:38:01Zrketchamverifytailnumber-codesign-01sha256192.168.1.1ok
{
"action": "verify",
"actor": "rketcham",
"client_ip": "192.168.1.1",
"dev_mode": true,
"digest_alg": "sha256",
"key": "tailnumber-codesign-01",
"result": "ok",
"seq": 38,
"ts": "2026-07-10T19:38:01Z"
}#372026-07-10T19:38:01Zrketchamsigntailnumber-codesign-01sha256Fv1z+ZkFwic5+Uv5…192.168.1.1ok
Reproducible offline with just OpenSSL + the envelope.
key=tailnumber-codesign-01 sig_alg=rsa3072-pss-sha256 digest_alg=sha256
sha256(artifact) = 16fd73f99905c22739f94bf9ea7ff470c632a9de12640e9c14b09fc489afff5a
openssl x509 -in leaf.crt -pubkey -noout
-----BEGIN PUBLIC KEY----- MIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAtN8pOen7dQz2HORMWNvl PCdy7WuwXAfH+Iy825jooEswqYiuNACQSzn7ZYUicNAoZHdb/VfBQAq8xkhV4R0V H0LP/zUkA+6477lR6MynrfP2rijzysc/e2xejSfNlGqPZ7yBp9vWEYwWPpzqrjm8 No/D7icDoqQChwrggRULxhCONNDRSNdNaNydoWGbQcRmFS9Sbj+Gp0cWraF+FM+i SnU0SiS4J4OB/LzaJMuGtdIjKId2EOITH91hheBGDO1rY62PXT1NiYlw6TXFKP+i VL7c+UUyAx+B2DE7PxlohUEGZcnlfgIraTIsY0PwDvFm1+b70SJDHhShGAHWBRto 527SQ4++tNVKVHauGzuQJDdpguPtZx+MqzFoVOKp0lgHKvFU367I3Rz57biXlvzg VZ5pk/bBESYKP9ex4X5VFmlLKFSHnXR2Prck/GUNQvpx9m39RIUNp/yLN3tTYPhk CVt7rRI53QlhFXg8IBFJQTikjtZU1TvkDjH5+BM4u7DtAgMBAAE= -----END PUBLIC KEY-----
openssl verify -CAfile tailnumber-signing-root.crt -untrusted issuing.crt leaf.crt
/run/tailnumber/tmpw9kb6zd0/leaf.crt: OK
openssl pkeyutl -verify -pubin -inkey pub.pem -in digest.bin -sigfile sig.bin -pkeyopt digest:sha256 -pkeyopt rsa_padding_mode:pss -pkeyopt rsa_pss_saltlen:digest
Signature Verified Successfully
#362026-07-10T19:37:04Zrketchamverify-batch192.168.1.1ok
{
"action": "verify-batch",
"actor": "rketcham",
"client_ip": "192.168.1.1",
"count": 1,
"dev_mode": true,
"result": "ok",
"seq": 36,
"ts": "2026-07-10T19:37:04Z"
}#352026-07-10T19:37:04Zrketchamsigntailnumber-codesign-01sha256HQyKqh/9k1FnjRIr…192.168.1.1ok
Reproducible offline with just OpenSSL + the envelope.
key=tailnumber-codesign-01 sig_alg=rsa3072-pss-sha256 digest_alg=sha256
sha256(artifact) = 1d0c8aaa1ffd9351678d122b33c218311cf539a2d1ac2a2c1a650513df71934f
openssl x509 -in leaf.crt -pubkey -noout
-----BEGIN PUBLIC KEY----- MIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAtN8pOen7dQz2HORMWNvl PCdy7WuwXAfH+Iy825jooEswqYiuNACQSzn7ZYUicNAoZHdb/VfBQAq8xkhV4R0V H0LP/zUkA+6477lR6MynrfP2rijzysc/e2xejSfNlGqPZ7yBp9vWEYwWPpzqrjm8 No/D7icDoqQChwrggRULxhCONNDRSNdNaNydoWGbQcRmFS9Sbj+Gp0cWraF+FM+i SnU0SiS4J4OB/LzaJMuGtdIjKId2EOITH91hheBGDO1rY62PXT1NiYlw6TXFKP+i VL7c+UUyAx+B2DE7PxlohUEGZcnlfgIraTIsY0PwDvFm1+b70SJDHhShGAHWBRto 527SQ4++tNVKVHauGzuQJDdpguPtZx+MqzFoVOKp0lgHKvFU367I3Rz57biXlvzg VZ5pk/bBESYKP9ex4X5VFmlLKFSHnXR2Prck/GUNQvpx9m39RIUNp/yLN3tTYPhk CVt7rRI53QlhFXg8IBFJQTikjtZU1TvkDjH5+BM4u7DtAgMBAAE= -----END PUBLIC KEY-----
openssl verify -CAfile tailnumber-signing-root.crt -untrusted issuing.crt leaf.crt
/run/tailnumber/tmpp6jcmen8/leaf.crt: OK
openssl pkeyutl -verify -pubin -inkey pub.pem -in digest.bin -sigfile sig.bin -pkeyopt digest:sha256 -pkeyopt rsa_padding_mode:pss -pkeyopt rsa_pss_saltlen:digest
Signature Verified Successfully
#342026-07-10T19:37:04Zrketchamsigntailnumber-codesign-01sha256HQyKqh/9k1FnjRIr…192.168.1.1ok
Reproducible offline with just OpenSSL + the envelope.
key=tailnumber-codesign-01 sig_alg=rsa3072-pss-sha256 digest_alg=sha256
sha256(artifact) = 1d0c8aaa1ffd9351678d122b33c218311cf539a2d1ac2a2c1a650513df71934f
openssl x509 -in leaf.crt -pubkey -noout
-----BEGIN PUBLIC KEY----- MIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAtN8pOen7dQz2HORMWNvl PCdy7WuwXAfH+Iy825jooEswqYiuNACQSzn7ZYUicNAoZHdb/VfBQAq8xkhV4R0V H0LP/zUkA+6477lR6MynrfP2rijzysc/e2xejSfNlGqPZ7yBp9vWEYwWPpzqrjm8 No/D7icDoqQChwrggRULxhCONNDRSNdNaNydoWGbQcRmFS9Sbj+Gp0cWraF+FM+i SnU0SiS4J4OB/LzaJMuGtdIjKId2EOITH91hheBGDO1rY62PXT1NiYlw6TXFKP+i VL7c+UUyAx+B2DE7PxlohUEGZcnlfgIraTIsY0PwDvFm1+b70SJDHhShGAHWBRto 527SQ4++tNVKVHauGzuQJDdpguPtZx+MqzFoVOKp0lgHKvFU367I3Rz57biXlvzg VZ5pk/bBESYKP9ex4X5VFmlLKFSHnXR2Prck/GUNQvpx9m39RIUNp/yLN3tTYPhk CVt7rRI53QlhFXg8IBFJQTikjtZU1TvkDjH5+BM4u7DtAgMBAAE= -----END PUBLIC KEY-----
openssl verify -CAfile tailnumber-signing-root.crt -untrusted issuing.crt leaf.crt
/run/tailnumber/tmp_3w_ph0l/leaf.crt: OK
openssl pkeyutl -verify -pubin -inkey pub.pem -in digest.bin -sigfile sig.bin -pkeyopt digest:sha256 -pkeyopt rsa_padding_mode:pss -pkeyopt rsa_pss_saltlen:digest
Signature Verified Successfully
#332026-07-10T19:37:04Zrketchamverifytailnumber-codesign-01sha256192.168.1.1ok
{
"action": "verify",
"actor": "rketcham",
"client_ip": "192.168.1.1",
"dev_mode": true,
"digest_alg": "sha256",
"key": "tailnumber-codesign-01",
"result": "ok",
"seq": 33,
"ts": "2026-07-10T19:37:04Z"
}#322026-07-10T19:37:04Zrketchamverifytailnumber-codesign-01sha256192.168.1.1ok
{
"action": "verify",
"actor": "rketcham",
"client_ip": "192.168.1.1",
"dev_mode": true,
"digest_alg": "sha256",
"key": "tailnumber-codesign-01",
"result": "ok",
"seq": 32,
"ts": "2026-07-10T19:37:04Z"
}#312026-07-10T19:37:04Zrketchamverifytailnumber-codesign-01sha256192.168.1.1ok
{
"action": "verify",
"actor": "rketcham",
"client_ip": "192.168.1.1",
"dev_mode": true,
"digest_alg": "sha256",
"key": "tailnumber-codesign-01",
"profile": "digest-as-message",
"result": "ok",
"seq": 31,
"ts": "2026-07-10T19:37:04Z"
}#302026-07-10T19:37:03Zrketchamsigntailnumber-codesign-01sha256HQyKqh/9k1FnjRIr…192.168.1.1ok
Reproducible offline with just OpenSSL + the envelope.
key=tailnumber-codesign-01 sig_alg=rsa3072-pss-sha256 digest_alg=sha256
sha256(artifact) = 1d0c8aaa1ffd9351678d122b33c218311cf539a2d1ac2a2c1a650513df71934f
openssl x509 -in leaf.crt -pubkey -noout
-----BEGIN PUBLIC KEY----- MIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAtN8pOen7dQz2HORMWNvl PCdy7WuwXAfH+Iy825jooEswqYiuNACQSzn7ZYUicNAoZHdb/VfBQAq8xkhV4R0V H0LP/zUkA+6477lR6MynrfP2rijzysc/e2xejSfNlGqPZ7yBp9vWEYwWPpzqrjm8 No/D7icDoqQChwrggRULxhCONNDRSNdNaNydoWGbQcRmFS9Sbj+Gp0cWraF+FM+i SnU0SiS4J4OB/LzaJMuGtdIjKId2EOITH91hheBGDO1rY62PXT1NiYlw6TXFKP+i VL7c+UUyAx+B2DE7PxlohUEGZcnlfgIraTIsY0PwDvFm1+b70SJDHhShGAHWBRto 527SQ4++tNVKVHauGzuQJDdpguPtZx+MqzFoVOKp0lgHKvFU367I3Rz57biXlvzg VZ5pk/bBESYKP9ex4X5VFmlLKFSHnXR2Prck/GUNQvpx9m39RIUNp/yLN3tTYPhk CVt7rRI53QlhFXg8IBFJQTikjtZU1TvkDjH5+BM4u7DtAgMBAAE= -----END PUBLIC KEY-----
openssl verify -CAfile tailnumber-signing-root.crt -untrusted issuing.crt leaf.crt
/run/tailnumber/tmpknzimpmd/leaf.crt: OK
openssl pkeyutl -verify -pubin -inkey pub.pem -in digest.bin -sigfile sig.bin -pkeyopt digest:sha256 -pkeyopt rsa_padding_mode:pss -pkeyopt rsa_pss_saltlen:digest
Signature Verified Successfully
#292026-07-10T19:37:03Zrketchamsigntailnumber-codesign-01sha256HQyKqh/9k1FnjRIr…192.168.1.1ok
Reproducible offline with just OpenSSL + the envelope.
key=tailnumber-codesign-01 sig_alg=rsa3072-pss-sha256 digest_alg=sha256
sha256(artifact) = 1d0c8aaa1ffd9351678d122b33c218311cf539a2d1ac2a2c1a650513df71934f
openssl x509 -in leaf.crt -pubkey -noout
-----BEGIN PUBLIC KEY----- MIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAtN8pOen7dQz2HORMWNvl PCdy7WuwXAfH+Iy825jooEswqYiuNACQSzn7ZYUicNAoZHdb/VfBQAq8xkhV4R0V H0LP/zUkA+6477lR6MynrfP2rijzysc/e2xejSfNlGqPZ7yBp9vWEYwWPpzqrjm8 No/D7icDoqQChwrggRULxhCONNDRSNdNaNydoWGbQcRmFS9Sbj+Gp0cWraF+FM+i SnU0SiS4J4OB/LzaJMuGtdIjKId2EOITH91hheBGDO1rY62PXT1NiYlw6TXFKP+i VL7c+UUyAx+B2DE7PxlohUEGZcnlfgIraTIsY0PwDvFm1+b70SJDHhShGAHWBRto 527SQ4++tNVKVHauGzuQJDdpguPtZx+MqzFoVOKp0lgHKvFU367I3Rz57biXlvzg VZ5pk/bBESYKP9ex4X5VFmlLKFSHnXR2Prck/GUNQvpx9m39RIUNp/yLN3tTYPhk CVt7rRI53QlhFXg8IBFJQTikjtZU1TvkDjH5+BM4u7DtAgMBAAE= -----END PUBLIC KEY-----
openssl verify -CAfile tailnumber-signing-root.crt -untrusted issuing.crt leaf.crt
/run/tailnumber/tmpjsxz916c/leaf.crt: OK
openssl pkeyutl -verify -pubin -inkey pub.pem -in digest.bin -sigfile sig.bin -pkeyopt digest:sha256 -pkeyopt rsa_padding_mode:pss -pkeyopt rsa_pss_saltlen:digest
Signature Verified Successfully
#282026-07-10T19:37:03Zrketchamsigntailnumber-codesign-01sha256HQyKqh/9k1FnjRIr…192.168.1.1ok
Reproducible offline with just OpenSSL + the envelope.
key=tailnumber-codesign-01 sig_alg=rsa3072-pss-sha256 digest_alg=sha256
sha256(artifact) = 1d0c8aaa1ffd9351678d122b33c218311cf539a2d1ac2a2c1a650513df71934f
openssl x509 -in leaf.crt -pubkey -noout
-----BEGIN PUBLIC KEY----- MIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAtN8pOen7dQz2HORMWNvl PCdy7WuwXAfH+Iy825jooEswqYiuNACQSzn7ZYUicNAoZHdb/VfBQAq8xkhV4R0V H0LP/zUkA+6477lR6MynrfP2rijzysc/e2xejSfNlGqPZ7yBp9vWEYwWPpzqrjm8 No/D7icDoqQChwrggRULxhCONNDRSNdNaNydoWGbQcRmFS9Sbj+Gp0cWraF+FM+i SnU0SiS4J4OB/LzaJMuGtdIjKId2EOITH91hheBGDO1rY62PXT1NiYlw6TXFKP+i VL7c+UUyAx+B2DE7PxlohUEGZcnlfgIraTIsY0PwDvFm1+b70SJDHhShGAHWBRto 527SQ4++tNVKVHauGzuQJDdpguPtZx+MqzFoVOKp0lgHKvFU367I3Rz57biXlvzg VZ5pk/bBESYKP9ex4X5VFmlLKFSHnXR2Prck/GUNQvpx9m39RIUNp/yLN3tTYPhk CVt7rRI53QlhFXg8IBFJQTikjtZU1TvkDjH5+BM4u7DtAgMBAAE= -----END PUBLIC KEY-----
openssl verify -CAfile tailnumber-signing-root.crt -untrusted issuing.crt leaf.crt
/run/tailnumber/tmp7okgea6k/leaf.crt: OK
openssl pkeyutl -verify -pubin -inkey pub.pem -in digest.bin -sigfile sig.bin -pkeyopt digest:sha256 -pkeyopt rsa_padding_mode:pss -pkeyopt rsa_pss_saltlen:digest
Signature Verified Successfully
#272026-07-10T19:31:20Zrketchamverify-batch192.168.1.1ok
{
"action": "verify-batch",
"actor": "rketcham",
"client_ip": "192.168.1.1",
"count": 1,
"dev_mode": true,
"result": "ok",
"seq": 27,
"ts": "2026-07-10T19:31:20Z"
}#262026-07-10T19:31:20Zrketchamsigntailnumber-codesign-01sha256ii6wuZRM7JRFV4CL…192.168.1.1ok
Reproducible offline with just OpenSSL + the envelope.
key=tailnumber-codesign-01 sig_alg=rsa3072-pss-sha256 digest_alg=sha256
sha256(artifact) = 8a2eb0b9944cec944557808b0be6ec5e2e22d0eee944c3e1818f2ff0ad0dda07
openssl x509 -in leaf.crt -pubkey -noout
-----BEGIN PUBLIC KEY----- MIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAtN8pOen7dQz2HORMWNvl PCdy7WuwXAfH+Iy825jooEswqYiuNACQSzn7ZYUicNAoZHdb/VfBQAq8xkhV4R0V H0LP/zUkA+6477lR6MynrfP2rijzysc/e2xejSfNlGqPZ7yBp9vWEYwWPpzqrjm8 No/D7icDoqQChwrggRULxhCONNDRSNdNaNydoWGbQcRmFS9Sbj+Gp0cWraF+FM+i SnU0SiS4J4OB/LzaJMuGtdIjKId2EOITH91hheBGDO1rY62PXT1NiYlw6TXFKP+i VL7c+UUyAx+B2DE7PxlohUEGZcnlfgIraTIsY0PwDvFm1+b70SJDHhShGAHWBRto 527SQ4++tNVKVHauGzuQJDdpguPtZx+MqzFoVOKp0lgHKvFU367I3Rz57biXlvzg VZ5pk/bBESYKP9ex4X5VFmlLKFSHnXR2Prck/GUNQvpx9m39RIUNp/yLN3tTYPhk CVt7rRI53QlhFXg8IBFJQTikjtZU1TvkDjH5+BM4u7DtAgMBAAE= -----END PUBLIC KEY-----
openssl verify -CAfile tailnumber-signing-root.crt -untrusted issuing.crt leaf.crt
/run/tailnumber/tmp1tot1_iv/leaf.crt: OK
openssl pkeyutl -verify -pubin -inkey pub.pem -in digest.bin -sigfile sig.bin -pkeyopt digest:sha256 -pkeyopt rsa_padding_mode:pss -pkeyopt rsa_pss_saltlen:digest
Signature Verified Successfully
#252026-07-10T19:31:20Zrketchamsigntailnumber-codesign-01sha256ii6wuZRM7JRFV4CL…192.168.1.1ok
Reproducible offline with just OpenSSL + the envelope.
key=tailnumber-codesign-01 sig_alg=rsa3072-pss-sha256 digest_alg=sha256
sha256(artifact) = 8a2eb0b9944cec944557808b0be6ec5e2e22d0eee944c3e1818f2ff0ad0dda07
openssl x509 -in leaf.crt -pubkey -noout
-----BEGIN PUBLIC KEY----- MIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAtN8pOen7dQz2HORMWNvl PCdy7WuwXAfH+Iy825jooEswqYiuNACQSzn7ZYUicNAoZHdb/VfBQAq8xkhV4R0V H0LP/zUkA+6477lR6MynrfP2rijzysc/e2xejSfNlGqPZ7yBp9vWEYwWPpzqrjm8 No/D7icDoqQChwrggRULxhCONNDRSNdNaNydoWGbQcRmFS9Sbj+Gp0cWraF+FM+i SnU0SiS4J4OB/LzaJMuGtdIjKId2EOITH91hheBGDO1rY62PXT1NiYlw6TXFKP+i VL7c+UUyAx+B2DE7PxlohUEGZcnlfgIraTIsY0PwDvFm1+b70SJDHhShGAHWBRto 527SQ4++tNVKVHauGzuQJDdpguPtZx+MqzFoVOKp0lgHKvFU367I3Rz57biXlvzg VZ5pk/bBESYKP9ex4X5VFmlLKFSHnXR2Prck/GUNQvpx9m39RIUNp/yLN3tTYPhk CVt7rRI53QlhFXg8IBFJQTikjtZU1TvkDjH5+BM4u7DtAgMBAAE= -----END PUBLIC KEY-----
openssl verify -CAfile tailnumber-signing-root.crt -untrusted issuing.crt leaf.crt
/run/tailnumber/tmp389mio8u/leaf.crt: OK
openssl pkeyutl -verify -pubin -inkey pub.pem -in digest.bin -sigfile sig.bin -pkeyopt digest:sha256 -pkeyopt rsa_padding_mode:pss -pkeyopt rsa_pss_saltlen:digest
Signature Verified Successfully
#242026-07-10T19:30:30Zrketchamverifytailnumber-codesign-01sha256127.0.0.1ok
{
"action": "verify",
"actor": "rketcham",
"client_ip": "127.0.0.1",
"dev_mode": true,
"digest_alg": "sha256",
"key": "tailnumber-codesign-01",
"result": "ok",
"seq": 24,
"ts": "2026-07-10T19:30:30Z"
}#232026-07-10T19:30:30Zrketchamsigntailnumber-codesign-01sha256Ebox1VnsHlBVr2nC…127.0.0.1ok
Reproducible offline with just OpenSSL + the envelope.
key=tailnumber-codesign-01 sig_alg=rsa3072-pss-sha256 digest_alg=sha256
sha256(artifact) = 11ba31d559ec1e5055af69c282d690e9bc0313edc54b00b53c9f7b37436dac01
openssl x509 -in leaf.crt -pubkey -noout
-----BEGIN PUBLIC KEY----- MIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAtN8pOen7dQz2HORMWNvl PCdy7WuwXAfH+Iy825jooEswqYiuNACQSzn7ZYUicNAoZHdb/VfBQAq8xkhV4R0V H0LP/zUkA+6477lR6MynrfP2rijzysc/e2xejSfNlGqPZ7yBp9vWEYwWPpzqrjm8 No/D7icDoqQChwrggRULxhCONNDRSNdNaNydoWGbQcRmFS9Sbj+Gp0cWraF+FM+i SnU0SiS4J4OB/LzaJMuGtdIjKId2EOITH91hheBGDO1rY62PXT1NiYlw6TXFKP+i VL7c+UUyAx+B2DE7PxlohUEGZcnlfgIraTIsY0PwDvFm1+b70SJDHhShGAHWBRto 527SQ4++tNVKVHauGzuQJDdpguPtZx+MqzFoVOKp0lgHKvFU367I3Rz57biXlvzg VZ5pk/bBESYKP9ex4X5VFmlLKFSHnXR2Prck/GUNQvpx9m39RIUNp/yLN3tTYPhk CVt7rRI53QlhFXg8IBFJQTikjtZU1TvkDjH5+BM4u7DtAgMBAAE= -----END PUBLIC KEY-----
openssl verify -CAfile tailnumber-signing-root.crt -untrusted issuing.crt leaf.crt
/run/tailnumber/tmprsm7doyj/leaf.crt: OK
openssl pkeyutl -verify -pubin -inkey pub.pem -in digest.bin -sigfile sig.bin -pkeyopt digest:sha256 -pkeyopt rsa_padding_mode:pss -pkeyopt rsa_pss_saltlen:digest
Signature Verified Successfully
#222026-07-10T19:30:29Zrketchamsigntailnumber-codesign-01sha256Ebox1VnsHlBVr2nC…127.0.0.1ok
Reproducible offline with just OpenSSL + the envelope.
key=tailnumber-codesign-01 sig_alg=rsa3072-pkcs1-sha256 digest_alg=sha256
sha256(artifact) = 11ba31d559ec1e5055af69c282d690e9bc0313edc54b00b53c9f7b37436dac01
openssl x509 -in leaf.crt -pubkey -noout
-----BEGIN PUBLIC KEY----- MIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAtN8pOen7dQz2HORMWNvl PCdy7WuwXAfH+Iy825jooEswqYiuNACQSzn7ZYUicNAoZHdb/VfBQAq8xkhV4R0V H0LP/zUkA+6477lR6MynrfP2rijzysc/e2xejSfNlGqPZ7yBp9vWEYwWPpzqrjm8 No/D7icDoqQChwrggRULxhCONNDRSNdNaNydoWGbQcRmFS9Sbj+Gp0cWraF+FM+i SnU0SiS4J4OB/LzaJMuGtdIjKId2EOITH91hheBGDO1rY62PXT1NiYlw6TXFKP+i VL7c+UUyAx+B2DE7PxlohUEGZcnlfgIraTIsY0PwDvFm1+b70SJDHhShGAHWBRto 527SQ4++tNVKVHauGzuQJDdpguPtZx+MqzFoVOKp0lgHKvFU367I3Rz57biXlvzg VZ5pk/bBESYKP9ex4X5VFmlLKFSHnXR2Prck/GUNQvpx9m39RIUNp/yLN3tTYPhk CVt7rRI53QlhFXg8IBFJQTikjtZU1TvkDjH5+BM4u7DtAgMBAAE= -----END PUBLIC KEY-----
openssl verify -CAfile tailnumber-signing-root.crt -untrusted issuing.crt leaf.crt
/run/tailnumber/tmp5p2ub92o/leaf.crt: OK
openssl pkeyutl -verify -pubin -inkey pub.pem -in digest.bin -sigfile sig.bin -pkeyopt digest:sha256
Signature Verified Successfully
#212026-07-10T19:30:16Zrketchamsigntailnumber-codesign-01sha256dFQ1Auk/rUj6XxOC…127.0.0.1ok
Reproducible offline with just OpenSSL + the envelope.
key=tailnumber-codesign-01 sig_alg=rsa3072-pss-sha256 digest_alg=sha256
sha256(artifact) = 74543502e93fad48fa5f1382282a7f3ba09b79b36f360c357978f64fcac37ae4
openssl x509 -in leaf.crt -pubkey -noout
-----BEGIN PUBLIC KEY----- MIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAtN8pOen7dQz2HORMWNvl PCdy7WuwXAfH+Iy825jooEswqYiuNACQSzn7ZYUicNAoZHdb/VfBQAq8xkhV4R0V H0LP/zUkA+6477lR6MynrfP2rijzysc/e2xejSfNlGqPZ7yBp9vWEYwWPpzqrjm8 No/D7icDoqQChwrggRULxhCONNDRSNdNaNydoWGbQcRmFS9Sbj+Gp0cWraF+FM+i SnU0SiS4J4OB/LzaJMuGtdIjKId2EOITH91hheBGDO1rY62PXT1NiYlw6TXFKP+i VL7c+UUyAx+B2DE7PxlohUEGZcnlfgIraTIsY0PwDvFm1+b70SJDHhShGAHWBRto 527SQ4++tNVKVHauGzuQJDdpguPtZx+MqzFoVOKp0lgHKvFU367I3Rz57biXlvzg VZ5pk/bBESYKP9ex4X5VFmlLKFSHnXR2Prck/GUNQvpx9m39RIUNp/yLN3tTYPhk CVt7rRI53QlhFXg8IBFJQTikjtZU1TvkDjH5+BM4u7DtAgMBAAE= -----END PUBLIC KEY-----
openssl verify -CAfile tailnumber-signing-root.crt -untrusted issuing.crt leaf.crt
/run/tailnumber/tmpnoi1mza0/leaf.crt: OK
openssl pkeyutl -verify -pubin -inkey pub.pem -in digest.bin -sigfile sig.bin -pkeyopt digest:sha256 -pkeyopt rsa_padding_mode:pss -pkeyopt rsa_pss_saltlen:digest
Signature Verified Successfully
#202026-07-10T19:27:19Zrketchamsigntailnumber-codesign-01sha256LXEWQrcmsEQBYnyp…192.168.1.1ok
Reproducible offline with just OpenSSL + the envelope.
key=tailnumber-codesign-01 sig_alg=rsa3072-pss-sha256 digest_alg=sha256
sha256(artifact) = 2d711642b726b04401627ca9fbac32f5c8530fb1903cc4db02258717921a4881
openssl x509 -in leaf.crt -pubkey -noout
-----BEGIN PUBLIC KEY----- MIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAtN8pOen7dQz2HORMWNvl PCdy7WuwXAfH+Iy825jooEswqYiuNACQSzn7ZYUicNAoZHdb/VfBQAq8xkhV4R0V H0LP/zUkA+6477lR6MynrfP2rijzysc/e2xejSfNlGqPZ7yBp9vWEYwWPpzqrjm8 No/D7icDoqQChwrggRULxhCONNDRSNdNaNydoWGbQcRmFS9Sbj+Gp0cWraF+FM+i SnU0SiS4J4OB/LzaJMuGtdIjKId2EOITH91hheBGDO1rY62PXT1NiYlw6TXFKP+i VL7c+UUyAx+B2DE7PxlohUEGZcnlfgIraTIsY0PwDvFm1+b70SJDHhShGAHWBRto 527SQ4++tNVKVHauGzuQJDdpguPtZx+MqzFoVOKp0lgHKvFU367I3Rz57biXlvzg VZ5pk/bBESYKP9ex4X5VFmlLKFSHnXR2Prck/GUNQvpx9m39RIUNp/yLN3tTYPhk CVt7rRI53QlhFXg8IBFJQTikjtZU1TvkDjH5+BM4u7DtAgMBAAE= -----END PUBLIC KEY-----
openssl verify -CAfile tailnumber-signing-root.crt -untrusted issuing.crt leaf.crt
/run/tailnumber/tmpsxyuabfb/leaf.crt: OK
openssl pkeyutl -verify -pubin -inkey pub.pem -in digest.bin -sigfile sig.bin -pkeyopt digest:sha256 -pkeyopt rsa_padding_mode:pss -pkeyopt rsa_pss_saltlen:digest
Signature Verified Successfully
#192026-07-10T19:26:34Zrketchamsigntailnumber-codesign-01sha256+bFT9uyljY4/5/gW…192.168.1.1ok
Reproducible offline with just OpenSSL + the envelope.
key=tailnumber-codesign-01 sig_alg=rsa3072-pss-sha256 digest_alg=sha256
sha256(artifact) = f9b153f6eca58d8e3fe7f81641b122c508eeb0b0d21fdf2d10c62cf4c6a297e4
openssl x509 -in leaf.crt -pubkey -noout
-----BEGIN PUBLIC KEY----- MIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAtN8pOen7dQz2HORMWNvl PCdy7WuwXAfH+Iy825jooEswqYiuNACQSzn7ZYUicNAoZHdb/VfBQAq8xkhV4R0V H0LP/zUkA+6477lR6MynrfP2rijzysc/e2xejSfNlGqPZ7yBp9vWEYwWPpzqrjm8 No/D7icDoqQChwrggRULxhCONNDRSNdNaNydoWGbQcRmFS9Sbj+Gp0cWraF+FM+i SnU0SiS4J4OB/LzaJMuGtdIjKId2EOITH91hheBGDO1rY62PXT1NiYlw6TXFKP+i VL7c+UUyAx+B2DE7PxlohUEGZcnlfgIraTIsY0PwDvFm1+b70SJDHhShGAHWBRto 527SQ4++tNVKVHauGzuQJDdpguPtZx+MqzFoVOKp0lgHKvFU367I3Rz57biXlvzg VZ5pk/bBESYKP9ex4X5VFmlLKFSHnXR2Prck/GUNQvpx9m39RIUNp/yLN3tTYPhk CVt7rRI53QlhFXg8IBFJQTikjtZU1TvkDjH5+BM4u7DtAgMBAAE= -----END PUBLIC KEY-----
openssl verify -CAfile tailnumber-signing-root.crt -untrusted issuing.crt leaf.crt
/run/tailnumber/tmpl1pzbz02/leaf.crt: OK
openssl pkeyutl -verify -pubin -inkey pub.pem -in digest.bin -sigfile sig.bin -pkeyopt digest:sha256 -pkeyopt rsa_padding_mode:pss -pkeyopt rsa_pss_saltlen:digest
Signature Verified Successfully
#182026-07-10T19:26:34Zrketchamsigntailnumber-codesign-01sha256+bFT9uyljY4/5/gW…192.168.1.1ok
Reproducible offline with just OpenSSL + the envelope.
key=tailnumber-codesign-01 sig_alg=rsa3072-pss-sha256 digest_alg=sha256
sha256(artifact) = f9b153f6eca58d8e3fe7f81641b122c508eeb0b0d21fdf2d10c62cf4c6a297e4
openssl x509 -in leaf.crt -pubkey -noout
-----BEGIN PUBLIC KEY----- MIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAtN8pOen7dQz2HORMWNvl PCdy7WuwXAfH+Iy825jooEswqYiuNACQSzn7ZYUicNAoZHdb/VfBQAq8xkhV4R0V H0LP/zUkA+6477lR6MynrfP2rijzysc/e2xejSfNlGqPZ7yBp9vWEYwWPpzqrjm8 No/D7icDoqQChwrggRULxhCONNDRSNdNaNydoWGbQcRmFS9Sbj+Gp0cWraF+FM+i SnU0SiS4J4OB/LzaJMuGtdIjKId2EOITH91hheBGDO1rY62PXT1NiYlw6TXFKP+i VL7c+UUyAx+B2DE7PxlohUEGZcnlfgIraTIsY0PwDvFm1+b70SJDHhShGAHWBRto 527SQ4++tNVKVHauGzuQJDdpguPtZx+MqzFoVOKp0lgHKvFU367I3Rz57biXlvzg VZ5pk/bBESYKP9ex4X5VFmlLKFSHnXR2Prck/GUNQvpx9m39RIUNp/yLN3tTYPhk CVt7rRI53QlhFXg8IBFJQTikjtZU1TvkDjH5+BM4u7DtAgMBAAE= -----END PUBLIC KEY-----
openssl verify -CAfile tailnumber-signing-root.crt -untrusted issuing.crt leaf.crt
/run/tailnumber/tmpcrcom0cw/leaf.crt: OK
openssl pkeyutl -verify -pubin -inkey pub.pem -in digest.bin -sigfile sig.bin -pkeyopt digest:sha256 -pkeyopt rsa_padding_mode:pss -pkeyopt rsa_pss_saltlen:digest
Signature Verified Successfully
#172026-07-10T19:26:34Zrketchamverifytailnumber-codesign-01sha256192.168.1.1ok
{
"action": "verify",
"actor": "rketcham",
"client_ip": "192.168.1.1",
"dev_mode": true,
"digest_alg": "sha256",
"key": "tailnumber-codesign-01",
"result": "ok",
"seq": 17,
"ts": "2026-07-10T19:26:34Z"
}#162026-07-10T19:26:34Zrketchamverifytailnumber-codesign-01sha256192.168.1.1ok
{
"action": "verify",
"actor": "rketcham",
"client_ip": "192.168.1.1",
"dev_mode": true,
"digest_alg": "sha256",
"key": "tailnumber-codesign-01",
"result": "ok",
"seq": 16,
"ts": "2026-07-10T19:26:34Z"
}#152026-07-10T19:26:34Zrketchamverifytailnumber-codesign-01sha256192.168.1.1ok
{
"action": "verify",
"actor": "rketcham",
"client_ip": "192.168.1.1",
"dev_mode": true,
"digest_alg": "sha256",
"key": "tailnumber-codesign-01",
"profile": "digest-as-message",
"result": "ok",
"seq": 15,
"ts": "2026-07-10T19:26:34Z"
}#142026-07-10T19:26:33Zrketchamsigntailnumber-codesign-01sha256+bFT9uyljY4/5/gW…192.168.1.1ok
Reproducible offline with just OpenSSL + the envelope.
key=tailnumber-codesign-01 sig_alg=rsa3072-pss-sha256 digest_alg=sha256
sha256(artifact) = f9b153f6eca58d8e3fe7f81641b122c508eeb0b0d21fdf2d10c62cf4c6a297e4
openssl x509 -in leaf.crt -pubkey -noout
-----BEGIN PUBLIC KEY----- MIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAtN8pOen7dQz2HORMWNvl PCdy7WuwXAfH+Iy825jooEswqYiuNACQSzn7ZYUicNAoZHdb/VfBQAq8xkhV4R0V H0LP/zUkA+6477lR6MynrfP2rijzysc/e2xejSfNlGqPZ7yBp9vWEYwWPpzqrjm8 No/D7icDoqQChwrggRULxhCONNDRSNdNaNydoWGbQcRmFS9Sbj+Gp0cWraF+FM+i SnU0SiS4J4OB/LzaJMuGtdIjKId2EOITH91hheBGDO1rY62PXT1NiYlw6TXFKP+i VL7c+UUyAx+B2DE7PxlohUEGZcnlfgIraTIsY0PwDvFm1+b70SJDHhShGAHWBRto 527SQ4++tNVKVHauGzuQJDdpguPtZx+MqzFoVOKp0lgHKvFU367I3Rz57biXlvzg VZ5pk/bBESYKP9ex4X5VFmlLKFSHnXR2Prck/GUNQvpx9m39RIUNp/yLN3tTYPhk CVt7rRI53QlhFXg8IBFJQTikjtZU1TvkDjH5+BM4u7DtAgMBAAE= -----END PUBLIC KEY-----
openssl verify -CAfile tailnumber-signing-root.crt -untrusted issuing.crt leaf.crt
/run/tailnumber/tmp8oxtwzee/leaf.crt: OK
openssl pkeyutl -verify -pubin -inkey pub.pem -in digest.bin -sigfile sig.bin -pkeyopt digest:sha256 -pkeyopt rsa_padding_mode:pss -pkeyopt rsa_pss_saltlen:digest
Signature Verified Successfully
#132026-07-10T19:26:32Zrketchamsigntailnumber-codesign-01sha256+bFT9uyljY4/5/gW…192.168.1.1ok
Reproducible offline with just OpenSSL + the envelope.
key=tailnumber-codesign-01 sig_alg=rsa3072-pss-sha256 digest_alg=sha256
sha256(artifact) = f9b153f6eca58d8e3fe7f81641b122c508eeb0b0d21fdf2d10c62cf4c6a297e4
openssl x509 -in leaf.crt -pubkey -noout
-----BEGIN PUBLIC KEY----- MIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAtN8pOen7dQz2HORMWNvl PCdy7WuwXAfH+Iy825jooEswqYiuNACQSzn7ZYUicNAoZHdb/VfBQAq8xkhV4R0V H0LP/zUkA+6477lR6MynrfP2rijzysc/e2xejSfNlGqPZ7yBp9vWEYwWPpzqrjm8 No/D7icDoqQChwrggRULxhCONNDRSNdNaNydoWGbQcRmFS9Sbj+Gp0cWraF+FM+i SnU0SiS4J4OB/LzaJMuGtdIjKId2EOITH91hheBGDO1rY62PXT1NiYlw6TXFKP+i VL7c+UUyAx+B2DE7PxlohUEGZcnlfgIraTIsY0PwDvFm1+b70SJDHhShGAHWBRto 527SQ4++tNVKVHauGzuQJDdpguPtZx+MqzFoVOKp0lgHKvFU367I3Rz57biXlvzg VZ5pk/bBESYKP9ex4X5VFmlLKFSHnXR2Prck/GUNQvpx9m39RIUNp/yLN3tTYPhk CVt7rRI53QlhFXg8IBFJQTikjtZU1TvkDjH5+BM4u7DtAgMBAAE= -----END PUBLIC KEY-----
openssl verify -CAfile tailnumber-signing-root.crt -untrusted issuing.crt leaf.crt
/run/tailnumber/tmpf_yfq9nc/leaf.crt: OK
openssl pkeyutl -verify -pubin -inkey pub.pem -in digest.bin -sigfile sig.bin -pkeyopt digest:sha256 -pkeyopt rsa_padding_mode:pss -pkeyopt rsa_pss_saltlen:digest
Signature Verified Successfully
#122026-07-10T18:06:30Zrketchamsigntailnumber-codesign-01sha256gliwkMD5xj+msepO…50.19.209.220ok
Reproducible offline with just OpenSSL + the envelope.
key=tailnumber-codesign-01 sig_alg=rsa3072-pss-sha256 digest_alg=sha256
sha256(artifact) = 8258b090c0f9c63fa6b1ea4e40d5c9c3fb313362cd5b6bbfa4dd7e5e11dcb19c
openssl x509 -in leaf.crt -pubkey -noout
-----BEGIN PUBLIC KEY----- MIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAtN8pOen7dQz2HORMWNvl PCdy7WuwXAfH+Iy825jooEswqYiuNACQSzn7ZYUicNAoZHdb/VfBQAq8xkhV4R0V H0LP/zUkA+6477lR6MynrfP2rijzysc/e2xejSfNlGqPZ7yBp9vWEYwWPpzqrjm8 No/D7icDoqQChwrggRULxhCONNDRSNdNaNydoWGbQcRmFS9Sbj+Gp0cWraF+FM+i SnU0SiS4J4OB/LzaJMuGtdIjKId2EOITH91hheBGDO1rY62PXT1NiYlw6TXFKP+i VL7c+UUyAx+B2DE7PxlohUEGZcnlfgIraTIsY0PwDvFm1+b70SJDHhShGAHWBRto 527SQ4++tNVKVHauGzuQJDdpguPtZx+MqzFoVOKp0lgHKvFU367I3Rz57biXlvzg VZ5pk/bBESYKP9ex4X5VFmlLKFSHnXR2Prck/GUNQvpx9m39RIUNp/yLN3tTYPhk CVt7rRI53QlhFXg8IBFJQTikjtZU1TvkDjH5+BM4u7DtAgMBAAE= -----END PUBLIC KEY-----
openssl verify -CAfile tailnumber-signing-root.crt -untrusted issuing.crt leaf.crt
/run/tailnumber/tmpubekomnm/leaf.crt: OK
openssl pkeyutl -verify -pubin -inkey pub.pem -in digest.bin -sigfile sig.bin -pkeyopt digest:sha256 -pkeyopt rsa_padding_mode:pss -pkeyopt rsa_pss_saltlen:digest
Signature Verified Successfully
#112026-07-10T17:56:54Zrketchamsigntailnumber-legacy-rsa-01sha25650.19.209.220error
{
"action": "sign",
"actor": "rketcham",
"client_ip": "50.19.209.220",
"dev_mode": true,
"digest_alg": "sha256",
"error": "unknown key label: tailnumber-legacy-rsa-01",
"key": "tailnumber-legacy-rsa-01",
"result": "error",
"seq": 11,
"ts": "2026-07-10T17:56:54Z"
}#102026-07-10T17:28:02Zrketchamverifytailnumber-codesign-01sha256127.0.0.1ok
{
"action": "verify",
"actor": "rketcham",
"client_ip": "127.0.0.1",
"dev_mode": true,
"digest_alg": "sha256",
"key": "tailnumber-codesign-01",
"profile": "digest-as-message",
"result": "ok",
"seq": 10,
"ts": "2026-07-10T17:28:02Z"
}#92026-07-10T17:28:02Zrketchamsigntailnumber-codesign-01sha2568FPsKtEQ7FIYPZrs…127.0.0.1ok
Reproducible offline with just OpenSSL + the envelope.
key=tailnumber-codesign-01 sig_alg=rsa3072-pss-sha256 digest_alg=sha256
sha256(artifact) = f053ec2ad110ec52183d9aec3c3c95620760eb409cc9acdad576e5c59aef3188
openssl x509 -in leaf.crt -pubkey -noout
-----BEGIN PUBLIC KEY----- MIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAtN8pOen7dQz2HORMWNvl PCdy7WuwXAfH+Iy825jooEswqYiuNACQSzn7ZYUicNAoZHdb/VfBQAq8xkhV4R0V H0LP/zUkA+6477lR6MynrfP2rijzysc/e2xejSfNlGqPZ7yBp9vWEYwWPpzqrjm8 No/D7icDoqQChwrggRULxhCONNDRSNdNaNydoWGbQcRmFS9Sbj+Gp0cWraF+FM+i SnU0SiS4J4OB/LzaJMuGtdIjKId2EOITH91hheBGDO1rY62PXT1NiYlw6TXFKP+i VL7c+UUyAx+B2DE7PxlohUEGZcnlfgIraTIsY0PwDvFm1+b70SJDHhShGAHWBRto 527SQ4++tNVKVHauGzuQJDdpguPtZx+MqzFoVOKp0lgHKvFU367I3Rz57biXlvzg VZ5pk/bBESYKP9ex4X5VFmlLKFSHnXR2Prck/GUNQvpx9m39RIUNp/yLN3tTYPhk CVt7rRI53QlhFXg8IBFJQTikjtZU1TvkDjH5+BM4u7DtAgMBAAE= -----END PUBLIC KEY-----
openssl verify -CAfile tailnumber-signing-root.crt -untrusted issuing.crt leaf.crt
/run/tailnumber/tmp3c2y75un/leaf.crt: OK
openssl pkeyutl -verify -pubin -inkey pub.pem -in digest.bin -sigfile sig.bin -pkeyopt digest:sha256 -pkeyopt rsa_padding_mode:pss -pkeyopt rsa_pss_saltlen:digest
Signature Verified Successfully
#82026-07-10T17:26:18Zrketchamverifytailnumber-codesign-01sha256127.0.0.1ok
{
"action": "verify",
"actor": "rketcham",
"client_ip": "127.0.0.1",
"dev_mode": true,
"digest_alg": "sha256",
"key": "tailnumber-codesign-01",
"result": "ok",
"seq": 8,
"ts": "2026-07-10T17:26:18Z"
}#72026-07-10T17:26:18Zrketchamsigntailnumber-codesign-01sha2569CkIQPINmF8aVpYi…127.0.0.1ok
Reproducible offline with just OpenSSL + the envelope.
key=tailnumber-codesign-01 sig_alg=rsa3072-pss-sha256 digest_alg=sha256
sha256(artifact) = f4290840f20d985f1a569622ee49d961092341cf55cc3537211756b9fac9f810
openssl x509 -in leaf.crt -pubkey -noout
-----BEGIN PUBLIC KEY----- MIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAtN8pOen7dQz2HORMWNvl PCdy7WuwXAfH+Iy825jooEswqYiuNACQSzn7ZYUicNAoZHdb/VfBQAq8xkhV4R0V H0LP/zUkA+6477lR6MynrfP2rijzysc/e2xejSfNlGqPZ7yBp9vWEYwWPpzqrjm8 No/D7icDoqQChwrggRULxhCONNDRSNdNaNydoWGbQcRmFS9Sbj+Gp0cWraF+FM+i SnU0SiS4J4OB/LzaJMuGtdIjKId2EOITH91hheBGDO1rY62PXT1NiYlw6TXFKP+i VL7c+UUyAx+B2DE7PxlohUEGZcnlfgIraTIsY0PwDvFm1+b70SJDHhShGAHWBRto 527SQ4++tNVKVHauGzuQJDdpguPtZx+MqzFoVOKp0lgHKvFU367I3Rz57biXlvzg VZ5pk/bBESYKP9ex4X5VFmlLKFSHnXR2Prck/GUNQvpx9m39RIUNp/yLN3tTYPhk CVt7rRI53QlhFXg8IBFJQTikjtZU1TvkDjH5+BM4u7DtAgMBAAE= -----END PUBLIC KEY-----
openssl verify -CAfile tailnumber-signing-root.crt -untrusted issuing.crt leaf.crt
/run/tailnumber/tmp7leueq_u/leaf.crt: OK
openssl pkeyutl -verify -pubin -inkey pub.pem -in digest.bin -sigfile sig.bin -pkeyopt digest:sha256 -pkeyopt rsa_padding_mode:pss -pkeyopt rsa_pss_saltlen:digest
Signature Verified Successfully
#62026-07-10T17:26:17Zhsm-finishcreate-keytailnumber-codesign-01ok
{
"action": "create-key",
"actor": "hsm-finish",
"key": "tailnumber-codesign-01",
"provenance": {
"created_at": "2026-07-10T17:26:17Z",
"created_by": "hsm-finish",
"created_via": "tailnumber-keygen (local CLI)",
"reason": "SoftHSM cutover",
"usage": "code signing"
},
"result": "ok",
"seq": 6,
"ts": "2026-07-10T17:26:17Z",
"via": "tailnumber-keygen (local CLI)"
}#52026-07-10T17:26:17Zrketchamca-setup127.0.0.1ok
HSM CA in token 'tailnumber' via /usr/lib/softhsm/libsofthsm2.so
root key generated in HSM (label tn-root)
issuing key generated in HSM (label tn-issuing)
root + issuing certs issued (CA keys never leave the HSM)
key issuance (openssl)
openssl req -new -x509 -engine pkcs11 -keyform engine -key pkcs11:token=tailnumber;object=tn-root;type=private;pin-value=1553b211b35e -subj /DC=com/DC=rayketcham/O=CAs/OU=RootCA/CN=Example Root CA -days 20089 -addext basicConstraints=critical,CA:TRUE,pathlen:1 -addext keyUsage=critical,keyCertSign,cRLSign -addext subjectKeyIdentifier=hash -out /etc/tailnumber/keys/_ca/tailnumber-signing-root.crt
Engine "pkcs11" set.
openssl req -new -engine pkcs11 -keyform engine -key pkcs11:token=tailnumber;object=tn-issuing;type=private;pin-value=1553b211b35e -subj /DC=com/DC=rayketcham/O=CAs/OU=CodeSigningCA/CN=Example Code Signing Issuing CA -out /run/tailnumber/tmplnbqk6cl.csr
Engine "pkcs11" set.
openssl x509 -req -in /run/tailnumber/tmplnbqk6cl.csr -CA /etc/tailnumber/keys/_ca/tailnumber-signing-root.crt -CAkey pkcs11:token=tailnumber;object=tn-root;type=private;pin-value=1553b211b35e -CAkeyform engine -engine pkcs11 -set_serial 0xea040bb10da3f7bb78350cf024edd85e -days 19724 -extfile /run/tailnumber/tmpcc6inc_y.ext -out /etc/tailnumber/keys/_ca/tailnumber-signing-issuing.crt
Engine "pkcs11" set. Certificate request self-signature ok subject=DC = com, DC = rayketcham, O = CAs, OU = CodeSigningCA, CN = Example Code Signing Issuing CA
#42026-07-10T17:12:20Zrketchamca-setup127.0.0.1error
{
"action": "ca-setup",
"actor": "rketcham",
"client_ip": "127.0.0.1",
"dev_mode": true,
"error": "error: PKCS11 function C_GenerateKeyPair failed: rv = CKR_GENERAL_ERROR (0x5)\nAborting.",
"result": "error",
"seq": 4,
"ts": "2026-07-10T17:12:20Z"
}#32026-07-10T16:42:51Zrketchamca-setup127.0.0.1error
{
"action": "ca-setup",
"actor": "rketcham",
"client_ip": "127.0.0.1",
"dev_mode": true,
"error": "error: PKCS11 function C_GenerateKeyPair failed: rv = CKR_GENERAL_ERROR (0x5)\nAborting.",
"result": "error",
"seq": 3,
"ts": "2026-07-10T16:42:51Z"
}#22026-07-10T16:39:59Zrketchamsigntailnumber-codesign-01sha256127.0.0.1error
{
"action": "sign",
"actor": "rketcham",
"client_ip": "127.0.0.1",
"dev_mode": true,
"digest_alg": "sha256",
"error": "unknown key label: tailnumber-codesign-01",
"key": "tailnumber-codesign-01",
"result": "error",
"seq": 2,
"ts": "2026-07-10T16:39:59Z"
}#12026-07-10T16:39:59Zrketchamca-setup127.0.0.1error
{
"action": "ca-setup",
"actor": "rketcham",
"client_ip": "127.0.0.1",
"dev_mode": true,
"error": "error: PKCS11 function C_GenerateKeyPair failed: rv = CKR_GENERAL_ERROR (0x5)\nAborting.",
"result": "error",
"seq": 1,
"ts": "2026-07-10T16:39:59Z"
}Every sign row expands to the full captured OpenSSL commands + output. API: /api/v1/audit, /audit/stats, /audit/search, /audit/export.