Forensic Receipt Verifier

Independently verify a wcagcheckr forensic receipt without trusting our server. Paste a forensic-log entry and confirm the cryptographic signatures hold up.

1. Paste the forensic-log entry

From the extension: Forensic tab → DevTools → Application → IndexedDB → wcag-forensic-log → audits → copy the entry as JSON. The entry must include both the hash field and a receipt object.

Product slug: wcagcheckr

Verification result

What's NOT verified by this page (and how to verify it)

This page verifies our server's ed25519 signature — proof that the signed payload (hash + anchoredAt + tsaName + productSlug) was witnessed by our server and the hash matches what's in the receipt's payload. It does not verify the RFC 3161 timestamp itself; that requires the TSA's CA chain and is best done with openssl:

[click "Verify" first to see commands tailored to this receipt]

How verification works

Reconstruct the signed payload. The receipt's signature was made over a canonical-JSON serialization of { hash, anchoredAt, tsaName, productSlug }. We rebuild that payload from the entry's fields and the well-known product slug.
Compute the SHA-256 of the canonical JSON. WebCrypto, in your browser. No data leaves your machine.
Fetch our published public key from /v1/products/wcagcheckr/forensic/public-key. Confirm the fingerprint matches the one in the receipt — if they don't, the receipt was issued under a different (rotated) key and verification fails.
Verify the ed25519 signature against the public key, using WebCrypto. A valid signature proves our server witnessed exactly this payload.
Verify the RFC 3161 token externally — see the openssl commands in the details panel after running. The TSA's signature on the timestamp is what makes the time-of-witness third-party-verifiable; openssl ts -verify against FreeTSA's CA chain is the canonical check.