Independent verification
A reviewer can verify a Miombo manifest without an authenticated product session.
Procedure
- Obtain the manifest hash from a report, certificate, disclosure or export.
- Retrieve the manifest from
https://api.miombolabs.com/audit/manifest/{hash}. - Base64-decode
body_canonical_b64and recompute its SHA-256 digest. - Confirm the digest equals the manifest hash.
- Retrieve
https://api.miombolabs.com/audit/keys.pemand select the public key identified bysigning_key_id. - Convert the 64-byte P1363 signature into the verifier's ECDSA signature representation when required.
- Verify the signature over the canonical bytes using ECDSA P-256 and SHA-256.
- Confirm the key was active at
signed_atand inspect the predecessor chain when the result is a restatement.
Server verification
For a quick independent cross-check, request:
text
GET https://api.miombolabs.com/audit/manifest/{hash}/verifyThe response identifies validity, signing key and verification reason. High-assurance workflows should still recompute the digest and signature outside Miombo infrastructure.
Failure handling
Treat a hash mismatch, invalid signature, missing signing key, invalid activation window or broken predecessor link as a verification failure. Do not silently accept or repair a signed record; obtain the superseding manifest or request a documented restatement.