Quantum-Safe File Attestation by Apoth3osis

Name: Quantum-Safe File Attestation
Brand: Apoth3osis
SKU: 69c99cefc3ba2714db75e12a
Price: 0.05 USD
Availability: InStock

Quantum-Safe File Attestation

Function

Available ActionsEach successful request consumes credits as outlined below.

attest_artifact^25crverify_attestation^5crget_public_key^5cr

Details

Issue formally verified, post-quantum cryptographic attestation certificates for any file. Every attestation is backed by a proof-carrying certificate bundle whose acceptance logic is proven correct in Lean 4. Signing uses ML-DSA-65 from the NIST post-quantum standard, executed through PQClean standardized runtimes with the private key secured in a hardware security module. A 4-check verification pipeline confirms signature validity, manifest consistency, artifact integrity, and certificate Merkle-tree integrity — all must pass. Anyone can verify certificates independently using the open-source offline verifier. No trust in our infrastructure required.

Use Cases

Sign software releases with formally verified post-quantum cryptography, Create proof-carrying attestation certificates with Lean 4 verified acceptance kernels, Verify file integrity with NIST-standardized ML-DSA-65 digital signatures and PQClean runtimes, Generate compliance evidence for SOC 2 SOX HIPAA and regulatory audits with cryptographic proof chains, Timestamp and cryptographically attest intellectual property artifacts with tamper-evident CAB bundles, Verify software supply chain integrity with 4-check verification pipeline, Issue verifiable certificates for code repositories and release archives backed by formal proofs, Provide independent verification keys for third-party auditors and partners, Create provenance records for AI model weights and training data with quantum-safe signatures, Attest firmware images and embedded software updates with hardware-backed signing, Notarize documents with post-quantum signatures backed by information-theoretic security foundations, Sign configuration files and infrastructure-as-code with formally verified cryptographic protocol stack

Dynamic MCP Setup

Connect once through AgentPMT Dynamic MCP, then use approved tools from the same agent connection.

30 Second Setup

STDIO connector for Claude Code, Codex, Cursor, Zed, and other LLMs that require STDIO or custom connections.

npm install -g @agentpmt/mcp-routeragentpmt-setup

Hosted Streamable HTTPS

MCP endpoint for browser-based apps like ChatGPT, Claude, Grok, or any time you want a streamable connection with no local install.

https://api.agentpmt.com/mcp

Config Example

Use the hosted endpoint directly in clients that support remote MCP. Store your Bearer token in the client config or secret field.

Full connection guide

{
  "mcpServers": {
    "agentpmt": {
      "type": "streamable-http",
      "url": "https://api.agentpmt.com/mcp",
      "headers": {
        "Authorization": "Bearer <AGENTPMT_BEARER_TOKEN>",
        "x-instance-metadata": "{\"client\":\"generic-mcp\",\"platform\":\"remote\"}"
      }
    }
  }
}

Need client videos, organization controls, audit details, and the full feature overview?

More About Dynamic MCP

Actions(3)

attest_artifact^25cr3 params(1 required)

Create a post-quantum cryptographic attestation for a file in storage. Signs with ML-DSA-65 via hardware security module. Saves the attestation package to file storage and returns its file_id.

file_idrequiredstring

File ID from file storage (from upload or GitHub download).

artifact_namestring

Human-readable name for the artifact being attested. Defaults to the stored filename.

metadataobject

Optional freeform metadata to include in the attestation manifest.

verify_attestation^5cr3 params(2 required)

Verify a previously issued attestation package against the original artifact. Both the artifact and the attestation package must be in file storage. Checks ML-DSA-65 signature, manifest integrity, artifact SHA-256 match, and CAB bundle.

file_idrequiredstring

File ID of the original artifact to verify.

attestation_file_idrequiredstring

File ID of the attestation package JSON (returned as attestation_file_id by attest_artifact).

check_bundleboolean

Whether to also verify the CAB verifier bundle material. Defaults to true.

get_public_key^5cr0 params

Return the signer's public key, algorithm, and fingerprint so independent verifiers can confirm attestation signatures without calling this tool.

No parameters for this action.

curl -X POST "https://api.agentpmt.com/products/purchase" \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer ********" \
  -d '{
    "product_id": "69c99cefc3ba2714db75e12a",
    "parameters": {
      "action": "attest_artifact",
      "file_id": "example_file_id"
    }
  }'

import requests
import json

url = "https://api.agentpmt.com/products/purchase"

headers = {
    "Content-Type": "application/json",
    "Authorization": "Bearer ********"
}

data = {
    "product_id": "69c99cefc3ba2714db75e12a",
    "parameters": {
        "action": "attest_artifact",
        "file_id": "example_file_id"
    }
}

response = requests.post(url, headers=headers, json=data)
print(response.status_code)
print(response.json())

const url = "https://api.agentpmt.com/products/purchase";

const headers = {
  "Content-Type": "application/json",
  "Authorization": "Bearer ********"
};

const data = {
  product_id: "69c99cefc3ba2714db75e12a",
  parameters: {
    "action": "attest_artifact",
    "file_id": "example_file_id"
  }
};

fetch(url, {
  method: "POST",
  headers,
  body: JSON.stringify(data)
})
  .then(response => response.json())
  .then(data => console.log(data))
  .catch(error => console.error("Error:", error));

const axios = require('axios');

const url = "https://api.agentpmt.com/products/purchase";

const headers = {
  "Content-Type": "application/json",
  "Authorization": "Bearer ********"
};

const data = {
  product_id: "69c99cefc3ba2714db75e12a",
  parameters: {
    "action": "attest_artifact",
    "file_id": "example_file_id"
  }
};

axios.post(url, data, { headers })
  .then(response => {
    console.log(response.status);
    console.log(response.data);
  })
  .catch(error => {
    console.error("Error:", error.message);
  });

Login to view your API and budget keys. The example above uses placeholder values. Sign in to see personalized code with your bearer token.

Usage Instructions

Usage guidance provided directly by the developer for this product.

Quantum-Safe File Attestation

Create and verify post-quantum cryptographic attestation packages for files using ML-DSA-65 (Dilithium3).

Actions

`attest_artifact`

Create a cryptographic attestation for a file in storage. The attestation package is saved to file storage.

Required:

file_id (string): file ID of the artifact to attest. Upload the file first using the File Management tool (action upload_standard), then pass the returned file_id here.

Optional:

artifact_name (string): human-readable name (defaults to stored filename)
metadata (object): freeform key-value pairs to include in the manifest

{"action":"attest_artifact","file_id":"abc-123","artifact_name":"release-v2.1.tar.gz","metadata":{"version":"2.1.0"}}

Response:

artifact_sha256: SHA-256 of the attested file
package_id: unique attestation identifier
attestation_file_id: file ID of the saved attestation package (use this for verify_attestation)
attestation_signed_url: download URL for the attestation package JSON

`verify_attestation`

Verify a previously issued attestation package against the original artifact. Both must be in file storage. If verifying a package received from someone else, upload it first using the File Management tool.

Required:

file_id (string): file ID of the original artifact
attestation_file_id (string): file ID of the attestation package JSON (from attest_artifact, or uploaded via File Management)

Optional:

check_bundle (boolean, default true): verify CAB certificate bundle integrity

{"action":"verify_attestation","file_id":"abc-123","attestation_file_id":"def-456"}

Response:

accept: true if all checks pass
failed_checks: list of check names that failed (empty when accepted)
manifest_sha256: hash of the canonical manifest
signer_public_key_hex: the public key that signed the manifest

`get_public_key`

Return the signer's public key and algorithm info for independent verification.

{"action":"get_public_key"}

Typical Workflow

Upload a file using the File Management tool (upload_standard) to get a file_id
Call attest_artifact with the file_id — save the returned attestation_file_id
To verify later, call verify_attestation with both file_id (original artifact) and attestation_file_id (the attestation package)
Share the attestation package (downloadable via attestation_signed_url) with anyone who needs to verify independently

Independent Offline Verification

Recipients can verify attestation packages offline without this tool: https://github.com/Abraxas1010/verified-pqc-verifier

Security Properties

Post-quantum security: ML-DSA-65 (FIPS 204 / Dilithium3) resistant to quantum attacks
Hardware key protection: signing key never leaves the hardware security module
Tamper evidence: any modification invalidates the signature
Self-verification: every attestation is verified immediately after signing

About this Product

How It Works

Upload a file and receive a cryptographic attestation package that mathematically proves what the file contained at the moment it was signed. The attestation binds your file's SHA-256 hash, a timestamp, and any metadata you provide into a signed manifest using ML-DSA-65 (Dilithium3 / FIPS 204).

Formally Verified Acceptance Kernel

Unlike conventional code-signing tools where the verification logic is tested but not proven, every attestation includes a Carried Algebraic Bundle (CAB) whose acceptance kernel has been formally verified in Lean 4. The verification logic is mathematically proven correct — not just tested against known inputs. The kernel includes a verified C implementation extracted directly from the Lean 4 proof source.

Proof-Carrying Certificate Bundles

Each attestation package contains a CAB bundle that cryptographically binds three elements into a single tamper-evident envelope: the artifact hash, the proof commitment, and the manifest signature. The bundle includes a Merkle tree over all verification artifacts (kernel source, provenance metadata, and expected outputs), ensuring that any modification to any component is detectable.

4-Check Verification Pipeline

Every verification — whether through the hosted API or the standalone offline verifier — runs four independent checks that must all pass for acceptance:

Signature validity — the ML-DSA-65 signature over the canonical manifest is cryptographically correct
Manifest consistency — the package ID matches the SHA-256 of the canonical manifest bytes
Artifact integrity — the file's SHA-256 matches what was recorded in the signed manifest
CAB certificate integrity — the Merkle tree over all bundle artifacts verifies against the committed root

NIST PQC Parameter Coverage

The underlying VerifiedPQC protocol stack supports all 6 NIST post-quantum parameter sets: ML-KEM-512, ML-KEM-768, ML-KEM-1024 for key encapsulation, and ML-DSA-44, ML-DSA-65, ML-DSA-87 for digital signatures. The attestation service uses ML-DSA-65 (security level 3) for signing, backed by PQClean reference implementations — real, audited, standardized byte-level runtimes, not toy cryptography.

Hardware Key Protection

The ML-DSA-65 signing key is provisioned inside a Google Cloud KMS hardware security module. The private key never leaves the HSM — signing requests are sent to KMS, which returns the signature. Even if the service infrastructure were fully compromised, the signing key cannot be extracted. Every signing operation is logged by Google Cloud for audit purposes.

Security Foundations

The security model draws on information-theoretic foundations including privacy amplification and the leftover hash lemma. Constructive hardness guarantees are backed by contextuality-based impossibility proofs for the underlying lattice assumptions. These are not just computational security claims — the protocol stack includes formally verified components with mathematical correctness proofs.

Independent Verification

Attestation certificates can be verified without any connection to this service. The open-source standalone verifier is available at github.com/Abraxas1010/verified-pqc-verifier. It includes the ML-DSA-65 verification binary, the trust anchor with the issuer's public key, and a step-by-step guide. No account, API access, or trust in our servers is required. The cryptographic proof is self-contained.

Independent Audit

An independent operational audit (2026-03-28) confirmed the full protocol stack: runtime replay correctness, byte-level transport verification, mutation rejection, cross-backend interoperability, fuzz rejection, policy scenario enforcement, and performance envelope compliance across all supported parameter sets.

Frequently Asked Questions

How do I connect this tool to an external agent?

You can install the local MCP server by opening a terminal and running:

Install commands

npm install -g @agentpmt/mcp-router
agentpmt-setup

This will connect you to local agents like Claude Code, Windsurf, Grok Build, Cursor, etc.

Alternatively you can connect to the hosted version with this config block, no installation required:

Hosted MCP config

{
  "mcpServers": {
    "agentpmt": {
      "type": "streamable-http",
      "url": "https://api.agentpmt.com/mcp",
      "headers": {
        "Authorization": "Bearer <AGENTPMT_BEARER_TOKEN>",
        "x-instance-metadata": "{\"client\":\"generic-mcp\",\"platform\":\"remote\"}"
      }
    }
  }
}

View MCP Connection Instructions for more details.

How does an external agent use this tool?

After the external agent is connected to an Agent Group that can use this tool, paste this prompt into the agent:

Agent prompt

Use the AgentPMT-Tool-Search-and-Execution tool. First call action 'get_instructions' so you know how to use the tool search interface. Then call action 'get_schema' with tool_id 69c99cefc3ba2714db75e12a ("Quantum-Safe File Attestation"). After reading the schema and any returned instructions, tell me what this tool can do, what inputs it needs, and what you need from me before running it. Do not call action 'call_tool' until I confirm the request and provide the required parameters.

The agent should fetch the tool schema first, collect the required parameters for your request, and then call the tool through AgentPMT.

Quantum-Safe File Attestation

Available ActionsEach successful request consumes credits as outlined below.

Details

Use Cases

Dynamic MCP Setup

30 Second Setup

Hosted Streamable HTTPS

Config Example

About this Product

How It Works

Formally Verified Acceptance Kernel

Proof-Carrying Certificate Bundles

4-Check Verification Pipeline

NIST PQC Parameter Coverage

Hardware Key Protection

Security Foundations

Independent Verification

Independent Audit

Frequently Asked Questions

How do I connect this tool to an external agent?

How does an external agent use this tool?

Workflows Using This Tool

Document and File Certification with Post-Quantum Digital Signatures

Related Content

Quantum-Safe File Attestation Launches on AgentPMT: Post-Quantum Proof for Every File

Why AI Cybersecurity Needs Quantum-Safe Signatures Now

Looking for help integrating AI into your business? Set up a free consultation.