AureliaSRS Provenance Registry - Verification Log
================================================

Artifact: s3-bucket-module-v1.0.0.tar.gz
Digest: sha256:abc123def456789012345678901234567890abcdef123456789012345678901234
Verification Time: 2026-01-16T06:00:00Z
Verification System: aurelia-verify v0.5.3
Verification Node: verify-node-ca-01

================================================================================
VERIFICATION SUMMARY
================================================================================

Status: PASSED
Total Checks: 12
Passed: 12
Failed: 0
Warnings: 0

================================================================================
DIGEST VERIFICATION
================================================================================

[2026-01-16 06:00:01] INFO: Starting digest verification
[2026-01-16 06:00:01] INFO: Artifact size: 12345 bytes
[2026-01-16 06:00:01] INFO: Computing SHA-256 digest...
[2026-01-16 06:00:01] PASS: SHA-256 digest verified
  Expected: sha256:abc123def456789012345678901234567890abcdef123456789012345678901234
  Computed: sha256:abc123def456789012345678901234567890abcdef123456789012345678901234
  Match: YES

[2026-01-16 06:00:01] INFO: Computing SHA-512 digest...
[2026-01-16 06:00:01] PASS: SHA-512 digest verified
  Expected: sha512:def789ghi012345678901234567890abcdef123456789012345678901234567890123456789abcdef012345
  Computed: sha512:def789ghi012345678901234567890abcdef123456789012345678901234567890123456789abcdef012345
  Match: YES

[2026-01-16 06:00:01] INFO: Computing BLAKE3 digest...
[2026-01-16 06:00:01] PASS: BLAKE3 digest verified
  Expected: blake3:jkl678mno901234567890abcdef123456789012345678901234
  Computed: blake3:jkl678mno901234567890abcdef123456789012345678901234
  Match: YES

[2026-01-16 06:00:01] INFO: All digest algorithms verified successfully

================================================================================
SIGNATURE VERIFICATION
================================================================================

[2026-01-16 06:00:02] INFO: Starting signature verification
[2026-01-16 06:00:02] INFO: Found 2 signature(s) to verify

--- Signature 1: AureliaSRS Primary Key ---
[2026-01-16 06:00:02] INFO: Key ID: 4096R/ABCD1234
[2026-01-16 06:00:02] INFO: Fingerprint: 1234 5678 90AB CDEF 1234 5678 90AB CDEF 1234 5678
[2026-01-16 06:00:02] INFO: Algorithm: pgp
[2026-01-16 06:00:02] INFO: Signed at: 2026-01-15T10:00:00Z

[2026-01-16 06:00:02] INFO: Attempting to retrieve key from keyservers...
[2026-01-16 06:00:02] INFO: Trying: https://keys.openpgp.org/vks/v1/by-fingerprint/1234567890ABCDEF
[2026-01-16 06:00:03] PASS: Key retrieved successfully
[2026-01-16 06:00:03] INFO: Key details:
  Type: RSA 4096-bit
  Created: 2024-03-15
  Expires: 2027-03-15
  Usage: Sign, Certify

[2026-01-16 06:00:03] INFO: Verifying PGP signature...
[2026-01-16 06:00:03] PASS: Signature valid
  Signer: AureliaSRS Primary Key
  Key ID: 4096R/ABCD1234
  Signature created: 2026-01-15T10:00:00Z
  Signature algorithm: RSA with SHA-256

[2026-01-16 06:00:03] INFO: Checking key trust level...
[2026-01-16 06:00:03] INFO: Key found in 3 trust anchors:
  - OpenPGP keyserver (verified)
  - Keybase.io (verified)
  - keys.aureliasrs.ca (verified)
[2026-01-16 06:00:03] PASS: Key trust verified

--- Signature 2: AureliaSRS Backup Key ---
[2026-01-16 06:00:04] INFO: Key ID: 2048R/WXYZ9876
[2026-01-16 06:00:04] INFO: Fingerprint: 9876 5432 10FE DCBA 9876 5432 10FE DCBA 9876 5432
[2026-01-16 06:00:04] INFO: Algorithm: pgp
[2026-01-16 06:00:04] INFO: Signed at: 2026-01-15T10:01:00Z

[2026-01-16 06:00:04] INFO: Attempting to retrieve key from keyservers...
[2026-01-16 06:00:04] INFO: Trying: https://keys.openpgp.org/vks/v1/by-fingerprint/987654321 0FEDCBA
[2026-01-16 06:00:05] PASS: Key retrieved successfully
[2026-01-16 06:00:05] INFO: Key details:
  Type: RSA 2048-bit
  Created: 2024-06-20
  Expires: 2027-06-20
  Usage: Sign

[2026-01-16 06:00:05] INFO: Verifying PGP signature...
[2026-01-16 06:00:05] PASS: Signature valid
  Signer: AureliaSRS Backup Key
  Key ID: 2048R/WXYZ9876
  Signature created: 2026-01-15T10:01:00Z
  Signature algorithm: RSA with SHA-256

[2026-01-16 06:00:05] INFO: All signatures verified successfully (2/2)

================================================================================
EXTERNAL ATTESTATIONS
================================================================================

[2026-01-16 06:00:06] INFO: Starting external attestation verification
[2026-01-16 06:00:06] INFO: Found 2 attestation(s) to verify

--- Attestation 1: Sigstore Rekor Transparency Log ---
[2026-01-16 06:00:06] INFO: Type: transparency-log
[2026-01-16 06:00:06] INFO: Timestamp: 2026-01-15T10:05:00Z
[2026-01-16 06:00:06] INFO: Log URL: https://rekor.sigstore.dev/api/v1/log/entries/1234567890abcdef

[2026-01-16 06:00:06] INFO: Fetching transparency log entry...
[2026-01-16 06:00:07] PASS: Transparency log entry found
[2026-01-16 06:00:07] INFO: Entry ID: 1234567890abcdef
[2026-01-16 06:00:07] INFO: Log index: 98765432
[2026-01-16 06:00:07] INFO: Integrated time: 2026-01-15T10:05:03Z

[2026-01-16 06:00:07] INFO: Verifying log entry signature...
[2026-01-16 06:00:07] PASS: Log entry signature valid
[2026-01-16 06:00:07] INFO: Verifying artifact hash in log entry...
[2026-01-16 06:00:07] PASS: Artifact hash matches log entry
  Log entry hash: sha256:abc123def456789012345678901234567890abcdef123456789012345678901234
  Artifact hash:  sha256:abc123def456789012345678901234567890abcdef123456789012345678901234

--- Attestation 2: Trivy Security Scanner ---
[2026-01-16 06:00:08] INFO: Type: vulnerability-scan
[2026-01-16 06:00:08] INFO: Timestamp: 2026-01-15T11:00:00Z
[2026-01-16 06:00:08] INFO: Report URL: https://example.com/scan-reports/sha256-abc123def456

[2026-01-16 06:00:08] INFO: Fetching security scan report...
[2026-01-16 06:00:09] PASS: Security scan report retrieved
[2026-01-16 06:00:09] INFO: Scanner: Trivy v0.48.3
[2026-01-16 06:00:09] INFO: Scan completed: 2026-01-15T11:00:00Z
[2026-01-16 06:00:09] INFO: Vulnerability summary:
  Critical: 0
  High: 0
  Medium: 0
  Low: 2
[2026-01-16 06:00:09] PASS: No critical or high vulnerabilities detected

[2026-01-16 06:00:09] INFO: All attestations verified successfully (2/2)

================================================================================
PROVENANCE VERIFICATION
================================================================================

[2026-01-16 06:00:10] INFO: Starting provenance metadata verification
[2026-01-16 06:00:10] INFO: Build system: gitea-actions
[2026-01-16 06:00:10] INFO: Builder: Gitea Actions (ubuntu-22.04)
[2026-01-16 06:00:10] INFO: Build node: build-node-ca-01
[2026-01-16 06:00:10] INFO: Reproducible build: Yes

[2026-01-16 06:00:10] INFO: Verifying SBOM...
[2026-01-16 06:00:10] INFO: SBOM format: cyclonedx
[2026-01-16 06:00:10] INFO: SBOM URL: https://provenance.aureliasrs.ca/sbom/sha256-abc123def456.json
[2026-01-16 06:00:10] INFO: Expected SBOM digest: sha256:sbom123456789abcdef012345678901234567890abcdef

[2026-01-16 06:00:10] INFO: Fetching SBOM...
[2026-01-16 06:00:11] PASS: SBOM retrieved successfully
[2026-01-16 06:00:11] INFO: Computing SBOM digest...
[2026-01-16 06:00:11] PASS: SBOM digest verified
  Expected: sha256:sbom123456789abcdef012345678901234567890abcdef
  Computed: sha256:sbom123456789abcdef012345678901234567890abcdef

[2026-01-16 06:00:11] INFO: Validating SBOM format...
[2026-01-16 06:00:11] PASS: SBOM format valid (CycloneDX 1.5)
[2026-01-16 06:00:11] INFO: SBOM components: 47
[2026-01-16 06:00:11] INFO: SBOM dependencies: 189

[2026-01-16 06:00:11] INFO: Verifying build environment metadata...
[2026-01-16 06:00:11] PASS: Build environment metadata present and valid
  OS: Ubuntu 22.04.3 LTS
  Kernel: 5.15.0-91-generic
  Architecture: x86_64
  Container Runtime: docker-24.0.7
  Toolchain components: 3

[2026-01-16 06:00:11] INFO: Provenance verification complete

================================================================================
POLICY CHECKS
================================================================================

[2026-01-16 06:00:12] INFO: Running policy checks...

[2026-01-16 06:00:12] PASS: Policy check: minimum-signature-count
  Required: 1
  Found: 2

[2026-01-16 06:00:12] PASS: Policy check: digest-algorithm-approved
  Required algorithms: sha256, sha512
  Found algorithms: sha256, sha512, blake3

[2026-01-16 06:00:12] PASS: Policy check: signature-key-strength
  Required: >= 2048 bits
  Primary key: 4096 bits (RSA)
  Backup key: 2048 bits (RSA)

[2026-01-16 06:00:12] PASS: Policy check: signature-freshness
  Required: <= 7 days
  Primary signature age: 1 day
  Backup signature age: 1 day

[2026-01-16 06:00:12] PASS: Policy check: transparency-log-required
  Required: Yes
  Found: Sigstore Rekor entry

[2026-01-16 06:00:12] PASS: Policy check: vulnerability-scan-required
  Required: Yes
  Found: Trivy scan report

[2026-01-16 06:00:12] PASS: Policy check: sbom-required
  Required: Yes
  Found: CycloneDX SBOM

[2026-01-16 06:00:12] PASS: Policy check: reproducible-build-preferred
  Preferred: Yes
  Found: Yes

[2026-01-16 06:00:12] INFO: All policy checks passed (8/8)

================================================================================
VERIFICATION COMPLETE
================================================================================

Final Status: PASSED
Total Duration: 11 seconds
Verified By: aurelia-verify v0.5.3
Verification Node: verify-node-ca-01
Verification ID: verify-20260116-060000-abc123

Summary:
  ✓ Digest verification: PASSED (3/3 algorithms)
  ✓ Signature verification: PASSED (2/2 signatures)
  ✓ External attestations: PASSED (2/2 attestations)
  ✓ Provenance verification: PASSED
  ✓ Policy compliance: PASSED (8/8 checks)

This artifact has been independently verified and meets all requirements for
the AureliaSRS Provenance Registry. The verification process confirms:

1. Artifact integrity through multiple cryptographic hash algorithms
2. Authenticity through multiple PGP signatures from trusted keys
3. Transparency through public immutable log entry
4. Security through vulnerability scanning
5. Supply chain transparency through SBOM
6. Build reproducibility through environment metadata
7. Policy compliance for all registry requirements

Artifact is APPROVED for use in production environments.

For questions or concerns about this verification, contact:
  Email: security@aureliasrs.ca
  Web: https://provenance.aureliasrs.ca/

================================================================================
End of verification log
Generated: 2026-01-16T06:00:12Z
Verification system: aurelia-verify v0.5.3 (build 2026-01-10)
Log format version: 1.0
================================================================================