signedshot-validator 0.1.7

Validator for SignedShot media authenticity proofs
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206

# SignedShot Validator

Verify SignedShot media authenticity proofs. Available as a Rust CLI and Python library.

[![PyPI](https://img.shields.io/pypi/v/signedshot)](https://pypi.org/project/signedshot/)
[![crates.io](https://img.shields.io/crates/v/signedshot-validator)](https://crates.io/crates/signedshot-validator)
[![CI](https://github.com/SignedShot/signedshot-validator/actions/workflows/ci.yml/badge.svg)](https://github.com/SignedShot/signedshot-validator/actions/workflows/ci.yml)

## Overview

SignedShot is an open protocol for proving photos and videos haven't been altered since capture. This validator verifies the cryptographic proofs (sidecars) generated by the SignedShot iOS SDK.

## Installation

### Python (PyPI)

```bash
pip install signedshot
```

### Rust (Cargo)

```bash
cargo install signedshot-validator
```

## Python Library

```python
import signedshot

# Validate from files
result = signedshot.validate_files("photo.sidecar.json", "photo.jpg")

print(result.valid)           # True/False
print(result.version)         # Sidecar format version
print(result.error)           # Error message if validation failed

# Capture trust (JWT verification)
trust = result.capture_trust
print(trust["signature_valid"])  # JWT signature verified
print(trust["issuer"])           # API that issued the token
print(trust["publisher_id"])     # Publisher ID
print(trust["device_id"])        # Device ID
print(trust["capture_id"])       # Capture session ID
print(trust["method"])           # Attestation: "sandbox", "app_check", or "app_attest"
print(trust["app_id"])           # App bundle ID (if attested)
print(trust["issued_at"])        # Unix timestamp

# Media integrity (content verification)
integrity = result.media_integrity
print(integrity["content_hash_valid"])  # SHA-256 hash matches
print(integrity["signature_valid"])     # ECDSA signature verified
print(integrity["capture_id_match"])    # Capture IDs match
print(integrity["content_hash"])        # SHA-256 of media
print(integrity["captured_at"])         # ISO8601 timestamp
```

### Validate from Bytes

```python
# Validate from in-memory data
with open("photo.sidecar.json") as f:
    sidecar_json = f.read()
with open("photo.jpg", "rb") as f:
    media_bytes = f.read()

result = signedshot.validate(sidecar_json, media_bytes)
```

### Validate with Pre-loaded JWKS

```python
# Avoid HTTP call by providing JWKS directly
import requests

jwks = requests.get("https://api.signedshot.io/.well-known/jwks.json").text
result = signedshot.validate_with_jwks(sidecar_json, media_bytes, jwks)
```

### Convert to Dict/JSON

```python
# Get result as dictionary
data = result.to_dict()

# Get result as JSON string
json_str = result.to_json()
```

## CLI Usage

### Validate Media

```bash
# Basic validation
signedshot validate photo.sidecar.json photo.jpg

# Output as JSON
signedshot validate photo.sidecar.json photo.jpg --json
```

### Parse Sidecar (without validation)

```bash
signedshot parse photo.sidecar.json
```

### Example Output

```
Validating sidecar: photo.sidecar.json
Media file: photo.jpg
[OK] Sidecar parsed
[OK] JWT decoded
  Issuer: https://api.signedshot.io
  Publisher: 9a5b1062-a8fe-4871-bdc1-fe54e96cbf1c
  Device: ea5c9bfe-6bbc-4ee2-b82d-0bcfcc185ef1
  Capture: ac85dbd2-d8a8-4d0b-9e39-2feef5f7b19f
  Method: app_check
  App ID: io.signedshot.capture
[OK] JWT signature verified
[OK] Content hash matches
[OK] Media signature verified
[OK] Capture IDs match

✓ VALID - Media authenticity verified
```

## What It Validates

### 1. Capture Trust (JWT)

- Fetches JWKS from issuer (or uses provided keys)
- Verifies ES256 (P-256 ECDSA) signature
- Extracts claims: publisher, device, capture ID, attestation method

### 2. Media Integrity

- Computes SHA-256 hash of media file
- Compares with `content_hash` in sidecar
- Verifies ECDSA signature over integrity data
- Confirms `capture_id` matches JWT

### 3. Cross-Validation

- Ensures capture_id in JWT matches capture_id in media_integrity
- Validates all timestamps and formats

## Building from Source

### Rust CLI

```bash
git clone https://github.com/SignedShot/signedshot-validator.git
cd signedshot-validator

cargo build --release
./target/release/signedshot --help
```

### Python Wheels

```bash
# Install maturin
pip install maturin

# Build wheel
cd python
maturin build --release

# Install locally
pip install ../target/wheels/signedshot-*.whl
```

## Development

```bash
# Format
cargo fmt

# Lint
cargo clippy -- -D warnings

# Test
cargo test

# Build
cargo build --release
```

## Related Repositories

- [signedshot-api](https://github.com/SignedShot/signedshot-api) - Backend API
- [signedshot-ios](https://github.com/SignedShot/signedshot-ios) - iOS SDK

## Links

- [PyPI Package](https://pypi.org/project/signedshot/)
- [Website](https://signedshot.io)
- [Documentation](https://signedshot.io/docs)
- [Interactive Demo](https://signedshot.io/demo)

## License

MIT License - see [LICENSE](LICENSE) for details.