Quantum-Safe File Attestation

Function

Available ActionsEach successful request consumes credits as outlined below.

attest_artifact^25crverify_attestation^5crget_public_key^5cr

Details

Issue formally verified, post-quantum cryptographic attestation certificates for any file. Every attestation is backed by a proof-carrying certificate bundle whose acceptance logic is proven correct in Lean 4. Signing uses ML-DSA-65 from the NIST post-quantum standard, executed through PQClean standardized runtimes with the private key secured in a hardware security module. A 4-check verification pipeline confirms signature validity, manifest consistency, artifact integrity, and certificate Merkle-tree integrity — all must pass. Anyone can verify certificates independently using the open-source offline verifier. No trust in our infrastructure required.

Use Cases

Sign software releases with formally verified post-quantum cryptography, Create proof-carrying attestation certificates with Lean 4 verified acceptance kernels, Verify file integrity with NIST-standardized ML-DSA-65 digital signatures and PQClean runtimes, Generate compliance evidence for SOC 2 SOX HIPAA and regulatory audits with cryptographic proof chains, Timestamp and cryptographically attest intellectual property artifacts with tamper-evident CAB bundles, Verify software supply chain integrity with 4-check verification pipeline, Issue verifiable certificates for code repositories and release archives backed by formal proofs, Provide independent verification keys for third-party auditors and partners, Create provenance records for AI model weights and training data with quantum-safe signatures, Attest firmware images and embedded software updates with hardware-backed signing, Notarize documents with post-quantum signatures backed by information-theoretic security foundations, Sign configuration files and infrastructure-as-code with formally verified cryptographic protocol stack

Connect Your Agent In 5 Min

Watch the setup guide for your platform

Or Install Locally

STDIO connector for Claude Code, Codex, Cursor, Zed, and other LLMs that require STDIO or custom connections. This lightweight connector routes requests to https://api.agentpmt.com/mcp. All tool execution happens in the cloud and the server cannot edit any files on your computer.

npm install -g @agentpmt/mcp-routeragentpmt-setup

Actions(3)

attest_artifact^25cr3 params(1 required)

Create a post-quantum cryptographic attestation for a file in storage. Signs with ML-DSA-65 via hardware security module. Saves the attestation package to file storage and returns its file_id.

file_idrequiredstring

File ID from file storage (from upload or GitHub download).

artifact_namestring

Human-readable name for the artifact being attested. Defaults to the stored filename.

metadataobject

Optional freeform metadata to include in the attestation manifest.

verify_attestation^5cr3 params(2 required)

Verify a previously issued attestation package against the original artifact. Both the artifact and the attestation package must be in file storage. Checks ML-DSA-65 signature, manifest integrity, artifact SHA-256 match, and CAB bundle.

file_idrequiredstring

File ID of the original artifact to verify.

attestation_file_idrequiredstring

File ID of the attestation package JSON (returned as attestation_file_id by attest_artifact).

check_bundleboolean

Whether to also verify the CAB verifier bundle material. Defaults to true.

get_public_key^5cr0 params

Return the signer's public key, algorithm, and fingerprint so independent verifiers can confirm attestation signatures without calling this tool.

No parameters for this action.

curl -X POST "https://api.agentpmt.com/products/purchase" \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer ********" \
  -d '{
    "product_id": "69c99cefc3ba2714db75e12a",
    "parameters": {
      "action": "attest_artifact",
      "file_id": "example_file_id"
    }
  }'

import requests
import json

url = "https://api.agentpmt.com/products/purchase"

headers = {
    "Content-Type": "application/json",
    "Authorization": "Bearer ********"
}

data = {
    "product_id": "69c99cefc3ba2714db75e12a",
    "parameters": {
        "action": "attest_artifact",
        "file_id": "example_file_id"
    }
}

response = requests.post(url, headers=headers, json=data)
print(response.status_code)
print(response.json())

const url = "https://api.agentpmt.com/products/purchase";

const headers = {
  "Content-Type": "application/json",
  "Authorization": "Bearer ********"
};

const data = {
  product_id: "69c99cefc3ba2714db75e12a",
  parameters: {
    "action": "attest_artifact",
    "file_id": "example_file_id"
  }
};

fetch(url, {
  method: "POST",
  headers,
  body: JSON.stringify(data)
})
  .then(response => response.json())
  .then(data => console.log(data))
  .catch(error => console.error("Error:", error));

const axios = require('axios');

const url = "https://api.agentpmt.com/products/purchase";

const headers = {
  "Content-Type": "application/json",
  "Authorization": "Bearer ********"
};

const data = {
  product_id: "69c99cefc3ba2714db75e12a",
  parameters: {
    "action": "attest_artifact",
    "file_id": "example_file_id"
  }
};

axios.post(url, data, { headers })
  .then(response => {
    console.log(response.status);
    console.log(response.data);
  })
  .catch(error => {
    console.error("Error:", error.message);
  });

Login to view your API and budget keys. The example above uses placeholder values. Sign in to see personalized code with your bearer token.

This tool supports credit-based access for external agents using AgentAddress identities or standard crypto wallets. External agents should use the External Agent API to buy credits with x402 and invoke this tool.

1. Buy Credits

Purchase credits via x402 payment (500 credit minimum, 100 credits = $1).

# Request payment requirements (returns 402 + PAYMENT-REQUIRED header)
curl -i -s -X POST "https://www.agentpmt.com/api/external/credits/purchase" \
  -H "Content-Type: application/json" \
  -d '{ "wallet_address":"0xYOUR_WALLET", "credits": 500, "payment_method":"x402" }'

# Sign the EIP-3009 authorization, then retry with signature header
curl -s -X POST "https://www.agentpmt.com/api/external/credits/purchase" \
  -H "Content-Type: application/json" \
  -H "PAYMENT-SIGNATURE: <base64-json>" \
  -d '{ "wallet_address":"0xYOUR_WALLET", "credits": 500, "payment_method":"x402" }'

2. Create a Session Nonce (nonce used in signed balance/invoke)

curl -s -X POST "https://www.agentpmt.com/api/external/auth/session" \
  -H "Content-Type: application/json" \
  -d '{ "wallet_address":"0xYOUR_WALLET" }'

3. Invoke This Tool

Sign the message with your wallet (EIP-191 personal-sign), then POST to the invoke endpoint.

# Sign this message (wallet MUST be lowercased):
# agentpmt-external
# wallet:0xyourwallet...
# session:<session_nonce>
# request:<request_id>
# method:POST
# path:/external/tools/quantum-safe-file-attestation/actions/<actionSlug>/invoke
# payload:<sha256(canonical_json(parameters))>

curl -s -X POST "https://www.agentpmt.com/api/external/tools/quantum-safe-file-attestation/actions/<actionSlug>/invoke" \
  -H "Content-Type: application/json" \
  -d '{
    "wallet_address": "0xYOUR_WALLET",
    "session_nonce": "<session_nonce>",
    "request_id": "invoke-uuid",
    "signature": "0x<signature>",
    "parameters": {
      "your_param": "value"
    }
  }'

Usage Instructions

Usage guidance provided directly by the developer for this product.

Quantum-Safe File Attestation

Create and verify post-quantum cryptographic attestation packages for files using ML-DSA-65 (Dilithium3).

Actions

`attest_artifact`

Create a cryptographic attestation for a file in storage. The attestation package is saved to file storage.

Required:

file_id (string): file ID of the artifact to attest. Upload the file first using the File Management tool (action upload_standard), then pass the returned file_id here.

Optional:

artifact_name (string): human-readable name (defaults to stored filename)
metadata (object): freeform key-value pairs to include in the manifest

{"action":"attest_artifact","file_id":"abc-123","artifact_name":"release-v2.1.tar.gz","metadata":{"version":"2.1.0"}}

Response:

artifact_sha256: SHA-256 of the attested file
package_id: unique attestation identifier
attestation_file_id: file ID of the saved attestation package (use this for verify_attestation)
attestation_signed_url: download URL for the attestation package JSON

`verify_attestation`

Verify a previously issued attestation package against the original artifact. Both must be in file storage. If verifying a package received from someone else, upload it first using the File Management tool.

Required:

file_id (string): file ID of the original artifact
attestation_file_id (string): file ID of the attestation package JSON (from attest_artifact, or uploaded via File Management)

Optional:

check_bundle (boolean, default true): verify CAB certificate bundle integrity

{"action":"verify_attestation","file_id":"abc-123","attestation_file_id":"def-456"}

Response:

accept: true if all checks pass
failed_checks: list of check names that failed (empty when accepted)
manifest_sha256: hash of the canonical manifest
signer_public_key_hex: the public key that signed the manifest

`get_public_key`

Return the signer's public key and algorithm info for independent verification.

{"action":"get_public_key"}

Typical Workflow

Upload a file using the File Management tool (upload_standard) to get a file_id
Call attest_artifact with the file_id — save the returned attestation_file_id
To verify later, call verify_attestation with both file_id (original artifact) and attestation_file_id (the attestation package)
Share the attestation package (downloadable via attestation_signed_url) with anyone who needs to verify independently

Independent Offline Verification

Recipients can verify attestation packages offline without this tool: https://github.com/Abraxas1010/verified-pqc-verifier

Security Properties

Post-quantum security: ML-DSA-65 (FIPS 204 / Dilithium3) resistant to quantum attacks
Hardware key protection: signing key never leaves the hardware security module
Tamper evidence: any modification invalidates the signature
Self-verification: every attestation is verified immediately after signing

About this Product

How It Works

Upload a file and receive a cryptographic attestation package that mathematically proves what the file contained at the moment it was signed. The attestation binds your file's SHA-256 hash, a timestamp, and any metadata you provide into a signed manifest using ML-DSA-65 (Dilithium3 / FIPS 204).

Formally Verified Acceptance Kernel

Unlike conventional code-signing tools where the verification logic is tested but not proven, every attestation includes a Carried Algebraic Bundle (CAB) whose acceptance kernel has been formally verified in Lean 4. The verification logic is mathematically proven correct — not just tested against known inputs. The kernel includes a verified C implementation extracted directly from the Lean 4 proof source.

Proof-Carrying Certificate Bundles

Each attestation package contains a CAB bundle that cryptographically binds three elements into a single tamper-evident envelope: the artifact hash, the proof commitment, and the manifest signature. The bundle includes a Merkle tree over all verification artifacts (kernel source, provenance metadata, and expected outputs), ensuring that any modification to any component is detectable.

4-Check Verification Pipeline

Every verification — whether through the hosted API or the standalone offline verifier — runs four independent checks that must all pass for acceptance:

Signature validity — the ML-DSA-65 signature over the canonical manifest is cryptographically correct
Manifest consistency — the package ID matches the SHA-256 of the canonical manifest bytes
Artifact integrity — the file's SHA-256 matches what was recorded in the signed manifest
CAB certificate integrity — the Merkle tree over all bundle artifacts verifies against the committed root

NIST PQC Parameter Coverage

The underlying VerifiedPQC protocol stack supports all 6 NIST post-quantum parameter sets: ML-KEM-512, ML-KEM-768, ML-KEM-1024 for key encapsulation, and ML-DSA-44, ML-DSA-65, ML-DSA-87 for digital signatures. The attestation service uses ML-DSA-65 (security level 3) for signing, backed by PQClean reference implementations — real, audited, standardized byte-level runtimes, not toy cryptography.

Hardware Key Protection

The ML-DSA-65 signing key is provisioned inside a Google Cloud KMS hardware security module. The private key never leaves the HSM — signing requests are sent to KMS, which returns the signature. Even if the service infrastructure were fully compromised, the signing key cannot be extracted. Every signing operation is logged by Google Cloud for audit purposes.

Security Foundations

The security model draws on information-theoretic foundations including privacy amplification and the leftover hash lemma. Constructive hardness guarantees are backed by contextuality-based impossibility proofs for the underlying lattice assumptions. These are not just computational security claims — the protocol stack includes formally verified components with mathematical correctness proofs.

Independent Verification

Attestation certificates can be verified without any connection to this service. The open-source standalone verifier is available at github.com/Abraxas1010/verified-pqc-verifier. It includes the ML-DSA-65 verification binary, the trust anchor with the issuer's public key, and a step-by-step guide. No account, API access, or trust in our servers is required. The cryptographic proof is self-contained.

Independent Audit

An independent operational audit (2026-03-28) confirmed the full protocol stack: runtime replay correctness, byte-level transport verification, mutation rejection, cross-backend interoperability, fuzz rejection, policy scenario enforcement, and performance envelope compliance across all supported parameter sets.

Quantum-Safe File Attestation

Available ActionsEach successful request consumes credits as outlined below.

Details

Use Cases

Connect Your Agent In 5 Min

Or Install Locally

Actions(3)

1. Buy Credits

2. Create a Session Nonce (nonce used in signed balance/invoke)

3. Invoke This Tool

Usage Instructions

Quantum-Safe File Attestation

Actions

`attest_artifact`

`verify_attestation`

`get_public_key`

Typical Workflow

Independent Offline Verification

Security Properties

About this Product

How It Works

Formally Verified Acceptance Kernel

Proof-Carrying Certificate Bundles

4-Check Verification Pipeline

NIST PQC Parameter Coverage

Hardware Key Protection

Security Foundations

Independent Verification

Independent Audit

Workflows Using This Tool

Verify File Attestation Certificate

Document and File Certification with Post-Quantum Digital Signatures

GitHub Repository Code Signing and Attestation with Post-Quantum Cryptography

Related Content

Quantum-Safe File Attestation Launches on AgentPMT: Post-Quantum Proof for Every File

Why AI Cybersecurity Needs Quantum-Safe Signatures Now

Looking for help integrating AI into your business? Set up a free consultation.