Verify a certificate offline
Every AlphaAssay verdict can be verified without contacting AlphaAssay — that is the point of signing them. All you need is the public key below and any standard crypto tool.
1 — Save the public key
# Key-ID: key_9961d9e3190d69a6
-----BEGIN PUBLIC KEY-----
MCowBQYDK2VwAyEA3pvfyosExDvDYzg8R1YMBu//7RvUWvuK/uanMlIJMQg=
-----END PUBLIC KEY-----
-----BEGIN PUBLIC KEY-----
MCowBQYDK2VwAyEA3pvfyosExDvDYzg8R1YMBu//7RvUWvuK/uanMlIJMQg=
-----END PUBLIC KEY-----
2 — Split the document
The delivered file contains the inner certificate object (canonical JSON, exactly as
delivered — do not reformat it) and the signature_b64 value.
3 — Check
$ base64 -d <<< "$SIGNATURE_B64" > sig.bin
$ openssl pkeyutl -verify -pubin -inkey alphaassay.pub \
-rawin -in certificate.json -sigfile sig.bin
Signature Verified SuccessfullyThe same check in Python
from cryptography.hazmat.primitives import serialization
from cryptography.exceptions import InvalidSignature
import base64
pub = serialization.load_pem_public_key(open("alphaassay.pub", "rb").read())
doc = open("certificate.json", "rb").read() # exact bytes as delivered!
sig = base64.b64decode(signature_b64)
try:
pub.verify(sig, doc)
print("genuine ✓")
except InvalidSignature:
print("altered or not ours ✕")…and in Node
import { createPublicKey, verify } from "node:crypto";
import { readFileSync } from "node:fs";
const pub = createPublicKey(readFileSync("alphaassay.pub"));
const doc = readFileSync("certificate.json"); // exact bytes!
const sig = Buffer.from(signatureB64, "base64");
console.log(verify(null, doc, pub, sig) ? "genuine ✓" : "altered ✕");Any modification — a flipped digit, prettified whitespace — makes the check fail. The convenient version lives at /verify; the paranoid version is this page, and we mean that as a compliment.