SSM-Clock Stamp – Build & (Optionally) Sign the Verify Pack (8.2)

Goal. Produce a small verify pack ZIP (verifiers + wrappers + one-screen spec) with an ASCII hash and optional ASCII signature. Entire flow is offline and plain ASCII.

1) Build the ZIP (one command)

call 40_ssmcs_make_verify_pack.cmd

Expected: [OK] Wrote: ...\verify_pack.zip

2) Emit the ASCII hash file (size + sha256)

call 41_ssmcs_hash_pack.cmd

Outputs (ASCII):

file=verify_pack.zip
size_bytes=<int>
sha256=<64-hex-lower>

3) Sanity-list ZIP contents (offline)

call 41b_ssmcs_list_pack.cmd

Expect one path per line (tools/, cmd/, README, optional policy/).

4) What to publish (minimal)

  • verify_pack.zip
  • verify_pack.zip.sha256.txt
    (Optional: include a sample day’s anchor note so recipients can try rollup_D immediately. If using policy manifests, add POLICY.txt, ALGO.txt, FORMAT.txt and their commitment line policy_sha256 = sha256( ascii(POLICY.txt|ALGO.txt|FORMAT.txt concatenation) ).)

5) Optional: sign the ZIP (Ed25519) and keep it ASCII

a) Generate once:

openssl genpkey -algorithm ED25519 -out ssmcs_ed25519_priv.pem
openssl pkey -in ssmcs_ed25519_priv.pem -pubout -out ssmcs_ed25519_pub.pem

b) Sign the ZIP:

openssl pkeyutl -sign -inkey ssmcs_ed25519_priv.pem -in verify_pack.zip -out verify_pack.zip.sig

c) Make the signature ASCII (Base64):

certutil -encode verify_pack.zip.sig verify_pack.zip.sig.b64 >nul
type verify_pack.zip.sig.b64

Publish together: verify_pack.zip, verify_pack.zip.sha256.txt, verify_pack.zip.sig.b64, ssmcs_ed25519_pub.pem.

d) Third-party verification (offline):

certutil -decode verify_pack.zip.sig.b64 verify_pack.zip.sig >nul
openssl pkeyutl -verify -pubin -inkey ssmcs_ed25519_pub.pem -in verify_pack.zip -sigfile verify_pack.zip.sig

Expected: exit code 0 (success).

6) Receiver’s quick check (one minute)

  1. Compare sha256 in verify_pack.zip.sha256.txt with local sha256(verify_pack.zip).
  2. If signature provided, verify with the public key.
  3. Unzip and run 33_ssmcs_verify_all.cmd on a folder with sidecars → expect VERDICT=PASS and LEDGER_OK=true.

Navigation
Back: SSM-Clock Stamp – Verify Pack & Public Handoff (8.1)
Next: SSM-Clock Stamp – Minimal CLI (8.3)