DRM3
Stack Intelligence ALPHA

Verify a RunsWith receipt

Every analysis RunsWith serves is signed with Ed25519 at the moment it is produced. Anyone - customer or stranger - can check a receipt without trusting us or contacting us.

What a receipt shows

  • Non-repudiation: the receipt was signed by the key RunsWith publishes. We cannot later deny having produced this analysis.
  • Tamper-evidence: if anyone alters the analysis after signing - a provider name, a count, a timestamp - the signature and hashes stop matching.
  • Lineage: each receipt links to the Connor scan observation it was derived from, so an analysis is traceable back to the raw DNS read.

What a receipt does not show: that the underlying DNS answer was true. DNS can change between scans, and a resolver can be lied to. A receipt makes our observation verifiable - it does not make the observation an oracle.

Published signing keys

runswith/analyst
ed25519:85124fa5e4887fc467c87cb69ce582ac9f1cf20909cba89bf5082985d343c36e

Full key history (rotations, supersessions) at /.well-known/runswith-keys.json.

Paste a receipt

Verification runs entirely in your browser via Web Crypto. Nothing you paste is sent anywhere.

Verify from the command line

Fetch the published keys, grab a receipt from any domain page (it is embedded in the page data and returned by the API), and check the signature with the open-source drm3-provenance library:

# published keys (public, no auth) curl -s https://runswith.dns.drm3.network/.well-known/runswith-keys.json # a receipt (API access requires an X-RunsWith-Key header) curl -s https://runswith.dns.drm3.network/runswith/v1/domains/stripe.com \ -H 'X-RunsWith-Key: YOUR_KEY' | jq -r .provenance

With the drm3-provenance WASM bindings (pkg-web target):

import init, { Receipt } from './drm3_provenance.js'; await init(); const ok = Receipt.fromJson(receiptJson).verify(); // Ed25519 check

The signed payload is the canonical JSON (recursively sorted keys, compact) of the receipt fields minus the signature. The in-browser module on this page implements the same algorithm in ~100 lines - view source at /static/provenance-verify.js.

Embed a signed badge

Any domain page carries a live, signed badge you can embed on your own site. It shows the detected service count and the short id of the latest Ed25519 receipt, and links back to the full evidence. It attests a verified observation - not that the site is safe. Here is the badge for stripe.com:

Get the badge

Embed a live, signed RunsWith badge for stripe.com. It refreshes from our latest analysis and links back to this page. It attests a verified observation - not that the site is safe.

RunsWith: verified observation for stripe.com
<a href="https://runswith.dns.drm3.network/domain/stripe.com"><img src="https://runswith.dns.drm3.network/badge/stripe.com.svg" alt="RunsWith: verified observation for stripe.com" width="240" height="72"></a>

The short id on the badge is the latest Ed25519 receipt - verify it at /verify.