A three-field shape for verifier-issued trust evidence in A2A agent ecosystems.
{
"substrate_attestation": {
"url": "https://verify.example.com/receipt.json",
"content_hash": "sha256:...",
"verifier": "did:web:verify.example.com"
}
}Three fields. No schema absorption. Method-agnostic.
Binds a verifier-issued receipt to a subject artifact. Any consumer can locate the receipt (url), verify its integrity (content_hash), and identify who produced it (verifier).
- Prove the receipt is correct
- Assert the verifier is trustworthy
- Define receipt schema
- Impose scoring or enforcement policy
Those judgments belong to the consumer, not the attestation.
SPEC.md defines the field shapes, validation rules, verification procedure, threat model, and proposed CTEF normative language.
python3 validate.py24 fixtures across format, verdict-binding, and key-rotation categories. The validator checks: field presence, hash format, DID syntax, URL scheme. Optional --verify-hash flag fetches the URL and verifies the content hash.
python3 validate.py --check '{"substrate_attestation": {"url": "https://...", "content_hash": "sha256:...", "verifier": "did:web:..."}}'matrix.json tracks who has been verified against what. 8 entries across 7 projects.
Run Crest verification on every push:
- uses: andysalvo/crest-verify-action@v1
with:
endpoint: https://your-service.comStep summary, PR comments, badge output. Action docs.
See FIXTURE_SCHEMA.md for the canonical fixture format. Third-party fixtures go in fixtures/contrib/. PRs welcome.
- Proposed by @aeoess in A2A #1672 and Discussion #1734
- First production binding: commit 74764f2 in Matrix v1.1 Registry
- Receipts produced by Crest Deployment Systems LLC at verify.crestsystems.ai
Apache 2.0