Verify the corpus yourself
Every Apeiris artifact is content-addressed by SHA-256 and pinned in a single manifest.json, which is itself signed with an offline Ed25519 key. Nothing here is "trust us" — recompute it. This page does it live in your browser, and the commands below let you do it out-of-band.
Trust anchor
integrity.signatureapeirisai/apeiris git repo (github.com) — a distinct origin from this CDNThe public key is the trust anchor. The private key is held offline and never enters the repo or the served site. A mismatch on the signature or any checksum means the copy you fetched does not match what Apeiris signed — treat it as fail-closed and stop.
Verify out-of-band
Recompute a domain artifact's hash and compare it to the manifest (no Apeiris code required):
# SHA-256 of a domain artifact, vs manifest.domains[].sha256 curl -s https://apeiris.ai/integration/domains/security-controls-full.json | sha256sum curl -s https://apeiris.ai/integration/manifest.json | python3 -c "import sys,json; m=json.load(sys.stdin); print(next(d['sha256'] for d in m['domains'] if d['slug']=='security'))"
Verify the Ed25519 manifest signature yourself, with only Node's built-in crypto — no Apeiris code, no repo access. This is a complete, runnable test vector: it fetches the manifest and the published public key, reconstructs the RFC 8785 (JCS) canonical bytes the signer signed (the manifest minus the integrity.signature field), and checks the signature against the trust-anchor key.
# save as verify.mjs, then: node verify.mjs (Node 18+)
import { createPublicKey, verify } from "node:crypto";
const B = "https://apeiris.ai/integration";
const m = await (await fetch(B + "/manifest.json")).json();
const pub = await (await fetch(B + "/keys/manifest-signing-ed25519.pub.json")).json();
const { signature, ...integrity } = m.integrity; // the signed payload is the manifest minus the signature
const jcs = v => Array.isArray(v) ? "[" + v.map(jcs).join(",") + "]" // RFC 8785 JCS: sort keys, no whitespace
: v && typeof v === "object" ? "{" + Object.keys(v).sort().map(k => JSON.stringify(k) + ":" + jcs(v[k])).join(",") + "}"
: JSON.stringify(v);
const ok = verify(null, Buffer.from(jcs({ ...m, integrity }), "utf8"),
createPublicKey(pub.public_key_spki_pem), Buffer.from(signature, "base64"));
console.log(m.integrity.key_id, ok ? "VERIFIED" : "FAILED");
# -> ed25519-1f89c22423ab21b2 VERIFIED
If it prints VERIFIED, the manifest you fetched is byte-for-byte what Apeiris signed with the offline key whose public half is at keys/manifest-signing-ed25519.pub.json. The Apeiris tooling (npm run verify:manifest) does the same check; this snippet lets you reproduce it independently.