// signature verification
Signature Verification
The Cryptography Bill of Materials (CBOM) is also signed with ML-DSA-65 (NIST FIPS 204) after every automated update. You can independently verify that the CBOM you are viewing matches the one generated by the scanner — without trusting this website.
The scanner writes cbom.json and immediately signs its exact UTF-8 content with the same private key used for articles. The signature is stored in cbom.sig alongside the CBOM. Verification fetches both files directly from this server and runs ML-DSA-65 entirely in your browser — no external servers, no trust required.
Public Key (ML-DSA-65)
48904116e9d8f6f65aa54c03c32b8a1f81519744…daadaaa4c456dfc1Signed Message Format
UTF-8 (cbom.json)The signed message is the exact UTF-8 byte sequence of cbom.json as written by the scanner (JSON.stringify with 2-space indentation). Nothing is added or removed — what you verify is exactly what is served at /cbom.json.
Ready to verify