Certificate signature verification confirms that a certification artifact was issued by a trusted authority and has not been altered since issuance. CertifiedData uses Ed25519 digital signatures so any verifier can independently confirm certificate authenticity without contacting the issuer.
A valid signature proves two things simultaneously: the certificate was produced by CertifiedData, and the certificate contents have not been modified since signing.
Step-by-step: verifying a certificate signature
Certificate signature verification requires the certificate JSON and CertifiedData's published public key. No API access, account, or issuer contact is required.
- Retrieve the certificate JSON from certifieddata.io/verify/{id} or the registry endpoint
- Extract the signature field (base64url-encoded Ed25519 signature)
- Reconstruct the signed payload — all certificate fields except the signature
- Load CertifiedData's Ed25519 public key from the well-known registry endpoint
- Run Ed25519 verify: verify(signature, payload, public_key)
- If result is true, the certificate is authentic and unmodified
- If result is false, the certificate has been tampered with or was not issued by CertifiedData
What a valid signature proves
A valid Ed25519 signature confirms that the certificate payload was signed by the holder of CertifiedData's private key — and that the payload has not been altered since signing. This means the certification_id, timestamp, issuer, dataset_hash, algorithm, and all other fields are exactly as issued.
It does not independently confirm the dataset itself — that requires fingerprint verification. The two checks together provide complete verification.
What happens when signature verification fails
A failed signature check means one of the following: the certificate was modified after issuance, the certificate was not issued by CertifiedData, or the certificate JSON was corrupted in transit. In all cases, the certificate should not be trusted.
A failed signature is not a recoverable error — it indicates a fundamental integrity problem with the certificate record.
Why signatures matter for AI governance
Without signatures, a certification record could be forged or altered by any party with access to the JSON. A forged certificate could falsely claim a dataset was certified by CertifiedData.
Ed25519 signatures make forgery computationally infeasible. Only the holder of the private key can produce a valid signature. Combined with public key distribution, this creates a trust model that is fully verifiable without depending on the issuer's availability.
Frequently asked questions
What if signature verification fails?
The certificate is either invalid or has been tampered with. It should not be used for compliance or governance documentation.
Is the public key required for verification?
Yes. Ed25519 signature verification requires the corresponding public key. CertifiedData publishes its public key at the well-known registry endpoint.
Does signature verification confirm the dataset is correct?
No — signature verification confirms the certificate is authentic. Dataset integrity requires a separate SHA-256 fingerprint comparison against the dataset_hash field.
Verify a certificate signature
CertifiedData publishes its Ed25519 public key for independent verification. Any party can validate certificate authenticity without contacting the issuer.