Verification API

The verification endpoint allows you to confirm that a published disclosure has not been tampered with and, if digital signing is configured, that it was signed by the authentic publisher.

Verify a disclosure

GET /api/disclosures/{slug}/verify

Example request

curl https://cis.cveium.com/api/disclosures/acme-server-2.1.0-vex/verify

Example response

{
  "public_slug": "acme-server-2.1.0-vex",
  "content_hash": "sha256:abc123def456...",
  "signed": true,
  "signature_valid": true
}

Response fields

How integrity verification works

When a VEX document is published, CVEium CIS computes a SHA-256 hash of the content. This hash is stored alongside the disclosure and returned in the content_hash field.

To verify integrity:

1. Download the raw VEX content from the disclosure endpoint
2. Compute the SHA-256 hash of the downloaded content
3. Compare it with the content_hash value from the verify endpoint

If the hashes match, the content has not been modified since publication.

How digital signatures work

If a VEX_SIGNING_KEY is configured on the server, CVEium CIS signs published VEX content using HMAC-SHA256. The signature is stored alongside the disclosure.

The verify endpoint checks the signature by:

1. Recomputing the HMAC-SHA256 signature of the current content
2. Comparing it with the stored signature using constant-time comparison (preventing timing attacks)

If signed is true and signature_valid is true, the content is authentic and unmodified.

If signed is true but signature_valid is null, the server does not have the signing key configured (for example, if the key was rotated). Contact the publisher to confirm authenticity.