QStrike — verify any signed event

Verify any QStrike-signed event

Three steps. Public key, captured SSE envelope, openssl. No proprietary tooling required.

Fetch the public key

The qstrike streaming subdomain publishes the active signing public key at /api/stream/public-key. Save it locally in PEM form.

curl https://stream.qtonicquantum.com/api/stream/public-key > qstrike-pubkey.pem

Capture the SSE event

Save the JSON envelope of any QStrike SSE event you want to verify. The envelope ships with .signature and .payload fields.

# Save the captured SSE event JSON locally
# event.json must contain a .signature field (base64-encoded ECDSA-P256-SHA256)
# and a .payload field (the signed canonical payload string)

Verify the signature

Run openssl dgst against the saved public key. Exit code 0 with output "Verified OK" confirms the event was signed by the QStrike streaming key.

echo -n "$(jq -r .payload event.json)" \
  | openssl dgst -sha256 \
      -verify qstrike-pubkey.pem \
      -signature <(jq -r .signature event.json | base64 -d)

What gets signed

Signature surface

Every SSE event envelope from stream.qtonicquantum.com.
Algorithm: ECDSA-P256-SHA256.
Public key fingerprint visible at /api/stream/fingerprint for out-of-band confirmation.

Reference implementation

Where the verifier lives

Reference Python verifier verify_gates.py ships in the qstrike-engine repository and is available on request.

npm-published CLI shipping in next release: @qtonicquantum/qstrike-verify.

Per-bundle attestation chain (engine code hash plus per-provider job IDs plus calibration snapshots) ships in the next release. Today’s verification surface is per-event-envelope only.

Why this matters

Zero-trust verification

Buyers verify any signed event without QStrike’s involvement.
Cryptographic proof of audit-trail integrity, independent of the QStrike runtime.
Forms the substrate for downstream bundle-level attestation in the next release.

Want the reference verifier?

Leave an address and we will send the current Python verifier and notify you when the npm-published CLI ships.

Verify any QStrike-signed event

Three steps. Public key, captured SSE envelope, openssl. No proprietary tooling required.

Fetch the public key

The qstrike streaming subdomain publishes the active signing public key at /api/stream/public-key. Save it locally in PEM form.

curl https://stream.qtonicquantum.com/api/stream/public-key > qstrike-pubkey.pem

Capture the SSE event

Save the JSON envelope of any QStrike SSE event you want to verify. The envelope ships with .signature and .payload fields.

# Save the captured SSE event JSON locally
# event.json must contain a .signature field (base64-encoded ECDSA-P256-SHA256)
# and a .payload field (the signed canonical payload string)

Verify the signature

Run openssl dgst against the saved public key. Exit code 0 with output "Verified OK" confirms the event was signed by the QStrike streaming key.

echo -n "$(jq -r .payload event.json)" \
  | openssl dgst -sha256 \
      -verify qstrike-pubkey.pem \
      -signature <(jq -r .signature event.json | base64 -d)

What gets signed

Signature surface

Every SSE event envelope from stream.qtonicquantum.com.
Algorithm: ECDSA-P256-SHA256.
Public key fingerprint visible at /api/stream/fingerprint for out-of-band confirmation.

Reference implementation

Where the verifier lives

Reference Python verifier verify_gates.py ships in the qstrike-engine repository and is available on request.

npm-published CLI shipping in next release: @qtonicquantum/qstrike-verify.

Per-bundle attestation chain (engine code hash plus per-provider job IDs plus calibration snapshots) ships in the next release. Today’s verification surface is per-event-envelope only.

Why this matters

Zero-trust verification

Buyers verify any signed event without QStrike’s involvement.
Cryptographic proof of audit-trail integrity, independent of the QStrike runtime.
Forms the substrate for downstream bundle-level attestation in the next release.

Want the reference verifier?

Leave an address and we will send the current Python verifier and notify you when the npm-published CLI ships.

Verify any QStrike-signed event

Fetch the public key

Capture the SSE event

Verify the signature

Signature surface

Where the verifier lives

Zero-trust verification

Want the reference verifier?

Related Content

QStrike by Qtonic Quantum

QScout by Qtonic Quantum

Platform Overview

Verify any QStrike-signed event

Fetch the public key

Capture the SSE event

Verify the signature

Signature surface

Where the verifier lives

Zero-trust verification

Want the reference verifier?

Related Content

QStrike by Qtonic Quantum

QScout by Qtonic Quantum

Platform Overview