# Proof verification

Purpose
- Verify DSSE bundles and transparency proofs for scan and score evidence.

Components
- DSSE envelope and signature bundle.
- Certificate chain and trust roots.
- Rekor inclusion proof and checkpoint when online.

Basic verification
- Verify DSSE signature against trusted roots.
- Confirm subject digest matches expected artifact.
- Validate Merkle inclusion proof when available.

Offline verification
- Use embedded proofs and local trust bundles.
- Skip online Rekor queries in sealed mode.
- Record verification results in timeline events.

Transparency log integration
- Check Rekor entry status and inclusion proof.
- When Rekor is unavailable, rely on cached checkpoint and proofs.

Troubleshooting cues
- DSSE signature invalid: check key rotation or trust anchors.
- Merkle root mismatch: verify checkpoint and bundle integrity.
- Certificate chain failure: refresh trust roots.

Monitoring
- Track verification latency and failure counts.
- Alert on certificate expiry or rising verification failures.

Related references
- provenance/attestation-workflow.md
- release/promotion-attestations.md
- docs/operations/proof-verification-runbook.md