Skip to content

Independent verification

A reviewer can verify a Miombo manifest without an authenticated product session.

Procedure

  1. Obtain the manifest hash from a report, certificate, disclosure or export.
  2. Retrieve the manifest from https://api.miombolabs.com/audit/manifest/{hash}.
  3. Base64-decode body_canonical_b64 and recompute its SHA-256 digest.
  4. Confirm the digest equals the manifest hash.
  5. Retrieve https://api.miombolabs.com/audit/keys.pem and select the public key identified by signing_key_id.
  6. Convert the 64-byte P1363 signature into the verifier's ECDSA signature representation when required.
  7. Verify the signature over the canonical bytes using ECDSA P-256 and SHA-256.
  8. Confirm the key was active at signed_at and inspect the predecessor chain when the result is a restatement.

Server verification

For a quick independent cross-check, request:

text
GET https://api.miombolabs.com/audit/manifest/{hash}/verify

The response identifies validity, signing key and verification reason. High-assurance workflows should still recompute the digest and signature outside Miombo infrastructure.

Failure handling

Treat a hash mismatch, invalid signature, missing signing key, invalid activation window or broken predecessor link as a verification failure. Do not silently accept or repair a signed record; obtain the superseding manifest or request a documented restatement.

Versioned methodology documentation for Miombo Nature Risk Intelligence.