dpndncY

Verify any signed verdict offline with one binary.

A single static Linux binary with no network calls. Hand it to your auditor, your customer, or your insurer — they only need it and your public key.

Install

The binary ships with every server install at /data/binaries/dpndncy-verify, and is published as a release artifact:

download (Linux amd64)
curl -L -o dpndncy-verify \
  https://github.com/dpndncY-SCA/dpndncy/releases/latest/download/dpndncy-verify-linux-amd64
chmod +x dpndncy-verify
./dpndncy-verify --version

Usage

verify
dpndncy-verify <attestation-file> --public-key <key.pem>

Example — verify a runtime trace

output
$ dpndncy-verify trace.intoto.jsonl \
    --public-key /etc/dpndncy/agent-pub.pem

Signature: OK
Key:       sha256:HmCC8oTtuG…
Type:      https://dpndncy.io/agent/runtime-trace/v1
Subject:   github-actions/acme/widget/1234567
  sha256: a1b2c3d4e5f6…

Builder:   urn:dpndncy:agent 0.1.0
Window:    2026-05-26T10:00:00Z → 2026-05-26T10:14:32Z
Mode:      observe

Events:    connect=412  exec=58  file=4  dns=23
Decisions: allow=489  warn=8  review=0  block=0
Trace log: sha256=a1b2c3… size=384921 (ndjson)

Exit codes

  • 0 — Signature valid, all checks passed
  • 1 — Signature invalid or key mismatch
  • 2 — File parse error
  • 3 — Required field missing or schema-invalid

What it does not do

The verifier has no network code, no DB driver, no portal client. By design.

  • It does not call back to dpndncY for any reason
  • It does not fetch advisory data
  • It does not enrich or re-evaluate signals — it only verifies the signature and prints the payload
Why it’s the wedge
The whole point of the platform is that this binary works on your auditor’s laptop with nothing more than a public key. No portal. No vendor dependency. No remote infrastructure to outlive you.