Verification Trust Model

This evidence summary verifies that the records in the analyzed file have not been altered since they were originally signed by the producer. Verification uses cryptographic chain integrity and ECDSA P-256 signature validation against the producer's public key. The CarveTrace verifier is open source (Apache 2.0); this summary can be reproduced by anyone with access to the source .ctp file using the carvetrace-verify CLI or this verify.carvetrace.com browser verifier.

Scope of this verifier. This browser-side WASM verifier validates chain integrity, schema hashes, and the ECDSA proof signature. It does not decode individual event payloads, and therefore does not validate any RFC 3161 TSA timestamps that may be embedded inside lifecycle or AI event payloads. For full TSA chain validation against configured trust roots, use the Java or Python CarveTrace verifier — both decode event payloads end-to-end.

Source: https://github.com/aryamind-tech/carvetrace-verify-wasm