ChronoVerify

Verify a ChronoVerify signed report

Free tool

Check that a ChronoVerify report carries a valid signature over the findings it lists, including the file's SHA-256. It confirms the report is genuine and unaltered, and you can hash your copy of the file to confirm it is the one described. It runs in your browser.

Paste the three blocks printed in the Integrity substrate section of a ChronoVerify PDF report. Verification runs in your browser using the Ed25519 public key; nothing is uploaded. The signing public key is prefilled with the key currently published at /v1/key; to verify a report signed by a rotated-out key, paste the key embedded in that report instead.

What this does and does not tell you

This checks that a ChronoVerify report carries a valid ChronoVerify signature over the exact file it describes. It confirms the report is genuine and has not been altered. It does not re-assess the underlying photo, and it does not prove the depicted scene is true. The signature covers the file-derived findings only; the issued time and request id are unsigned context. Verification runs in your browser.

Common questions

Where do I find these three values?

In a ChronoVerify PDF report, under the Integrity substrate section: the Report signature (Ed25519), the Signing public key (b64), and the Signed payload block. The report also prints these step-by-step instructions.

What exactly does a valid result confirm?

That ChronoVerify issued this report and that its findings have not been altered, and that the report describes the file whose SHA-256 it lists. It does not re-analyse the photo and does not prove the scene is true.

Why prefill the public key from /v1/key?

It is the key ChronoVerify currently signs with. Because the service may rotate keys, a report stays verifiable against the key embedded in that report. If a report was signed by an older key, paste that report's embedded key to verify it.

Is the trusted timestamp verified here?

No. The RFC 3161 timestamp token is not embedded in the report, so the issued time is unsigned context and is not independently verifiable from the PDF alone.

Signed, timestamped audit reports are a single ChronoVerify API call, the chain-of-custody artifact for compliance and claims workflows. See pricing, or run a photo through the full verifier.

Try the free verifier

Related

Hash a fileCompute a SHA-256 to compare against a report.Method and APIHow reports are signed, and the canonicalization rule.Compliance and Article 50The signed audit record as a chain-of-custody artifact.