{"schema_version":3,"algorithm":"Ed25519","current_key":{"key_id":"current","public_key_pem":"-----BEGIN PUBLIC KEY-----\nMCowBQYDK2VwAyEAY5D+SixjiaESGxScO2LXhSIjIBdURaEwyHujBLjfWIc=\n-----END PUBLIC KEY-----\n","public_key_raw_hex":"6390fe4a2c6389a1121b149c3b62d785222320175445a130c87ba304b8df5887","fingerprint":{"sha256_hex":"18405a9b9a5a6195e5e7a432b920bb24c0bc00041d9d25eb0a240b32be0ec7c8","sha256_base64":"GEBam5paYZXl56QyuSC7JMC8AAQdnSXrCiQLMr4Ox8g=","sha256_colon":"18:40:5A:9B:9A:5A:61:95:E5:E7:A4:32:B9:20:BB:24:C0:BC:00:04:1D:9D:25:EB:0A:24:0B:32:BE:0E:C7:C8"},"signing_format":{"version":1,"description":"Ed25519 over raw bytes: 32-byte root_hash || 8-byte little-endian double timestamp_utc (seconds).","message_length_bytes":40}},"historical_keys":[],"manifest_spec":{"id":"merkle-blake3-64k-v1","description":"Unified BitSeal Merkle manifest: whole-file BLAKE3 plus a BLAKE3 Merkle tree of fixed-size chunks. The web API and the BitSeal-SDK both produce this format, so a web seal and a CLI seal of the same bytes yield the same root_hash.","chunk_size_bytes":65536,"leaf_hash":{"algorithm":"BLAKE3","output_bytes":32,"encoding":"lowercase-hex","input":"Raw chunk bytes, split into CHUNK_SIZE windows from file offset 0. The final chunk may be short; it is hashed as-is (no padding)."},"internal_node":{"algorithm":"BLAKE3","output_bytes":32,"encoding":"lowercase-hex","input":"Raw 32-byte concatenation of the two child node hashes (left || right). No domain separator, no length prefix.","odd_layer_rule":"If a layer has an odd number of nodes, the last node is duplicated (paired with itself) before hashing up."},"root":"Last surviving node after repeatedly pairing. For a single-leaf tree, the root equals that leaf. Published as manifest.root_hash.","manifest_fields_for_verification":["seal_mode (must equal \"merkle-blake3-64k-v1\")","chunk_size_bytes (must equal 65536)","root_hash (lowercase hex, 64 chars)","merkle_tree (array of leaf hashes, lowercase hex, 64 chars each; length == ceil(size_bytes / chunk_size_bytes))","size_bytes"]},"policy_urls":{"ceremony":"https://bitseal.orygn.tech/legal/key-ceremony","rotation":"https://bitseal.orygn.tech/legal/rotation-policy","architecture":"https://bitseal.orygn.tech/docs/architecture"},"notes":["The web API signs seals with the current_key. CLI seals signed by the BitSeal-SDK on a local machine use a separate per-machine key and are not verifiable against this public key, but their Merkle tree follows the same manifest_spec.","Verify a seal by reconstructing the 40-byte message (hex-decode root_hash, then append the little-endian IEEE 754 double of timestamp_utc) and running an Ed25519 verify against current_key.public_key_pem. If it fails, try each historical_keys entry.","Independently verify file integrity by re-chunking the source bytes into 65536-byte windows, BLAKE3-hashing each chunk to reproduce merkle_tree, then folding up with the odd-layer-duplicate rule to reproduce root_hash.","The fingerprint is SHA-256 over the DER-encoded SubjectPublicKeyInfo. Reproduce with: openssl pkey -pubin -pubout -outform der | openssl dgst -sha256."],"authority":"Orygn LLC","service_url":"https://bitseal.orygn.tech/"}