Quantum-Safe File Attestation

Freshness

Last updated: 2026-06-24.

If the current date is more than 7 days after the last updated date, reinstall this skill from skills.sh or ClawHub before relying on endpoints, schemas, setup steps, or examples.

What This Tool Does

Issue formally verified, post-quantum cryptographic attestation certificates for any file. Every attestation is backed by a proof-carrying certificate bundle whose acceptance logic is proven correct in Lean 4. Signing uses ML-DSA-65 from the NIST post-quantum standard, executed through PQClean standardized runtimes with the private key secured in a hardware security module. A 4-check verification pipeline confirms signature validity, manifest consistency, artifact integrity, and certificate Merkle-tree integrity — all must pass. Anyone can verify certificates independently using the open-source offline verifier. No trust in our infrastructure required.

Product Instructions

Quantum-Safe File Attestation

Create and verify post-quantum cryptographic attestation packages for files using ML-DSA-65 (Dilithium3).

Actions

attest_artifact

Create a cryptographic attestation for a file in storage. The attestation package is saved to file storage.

Required:

• file_id (string): file ID of the artifact to attest. Upload the file first using the File Management tool (action upload_standard), then pass the returned file_id here.

Optional:

• artifact_name (string): human-readable name (defaults to stored filename)
• metadata (object): freeform key-value pairs to include in the manifest

{"action":"attest_artifact","file_id":"abc-123","artifact_name":"release-v2.1.tar.gz","metadata":{"version":"2.1.0"}}

Response:

• artifact_sha256: SHA-256 of the attested file
• package_id: unique attestation identifier
• attestation_file_id: file ID of the saved attestation package (use this for verify_attestation)
• attestation_signed_url: download URL for the attestation package JSON

verify_attestation

Verify a previously issued attestation package against the original artifact. Both must be in file storage. If verifying a package received from someone else, upload it first using the File Management tool.

Required:

• file_id (string): file ID of the original artifact
• attestation_file_id (string): file ID of the attestation package JSON (from attest_artifact, or uploaded via File Management)

Optional:

• check_bundle (boolean, default true): verify CAB certificate bundle integrity

{"action":"verify_attestation","file_id":"abc-123","attestation_file_id":"def-456"}

Response:

• accept: true if all checks pass
• failed_checks: list of check names that failed (empty when accepted)
• manifest_sha256: hash of the canonical manifest
• signer_public_key_hex: the public key that signed the manifest

get_public_key

Return the signer's public key and algorithm info for independent verification.

{"action":"get_public_key"}

Typical Workflow

1. Upload a file using the File Management tool (upload_standard) to get a file_id
2. Call attest_artifact with the file_id — save the returned attestation_file_id
3. To verify later, call verify_attestation with both file_id (original artifact) and attestation_file_id (the attestation package)
4. Share the attestation package (downloadable via attestation_signed_url) with anyone who needs to verify independently

Independent Offline Verification

Recipients can verify attestation packages offline without this tool: https://github.com/Abraxas1010/verified-pqc-verifier

Security Properties

• Post-quantum security: ML-DSA-65 (FIPS 204 / Dilithium3) resistant to quantum attacks
• Hardware key protection: signing key never leaves the hardware security module
• Tamper evidence: any modification invalidates the signature
• Self-verification: every attestation is verified immediately after signing

When To Use

• Use this skill for Quantum-Safe File Attestation on AgentPMT.
• Use it when an agent needs this specific tool's behavior, schema, inputs, outputs, and invocation shape.
• Search and activation keywords: quantum safe file attestation, sign software releases with formally verified post quantum cryptography, create proof carrying attestation certificates with lean 4 verified acceptance kernels, verify file integrity with nist standardized ml dsa 65 digital signatures and pqclean runtimes, generate compliance evidence for soc 2 sox hipaa and regulatory audits with cryptographic proof chains, attest artifact, file id, artifact name.
• Supported action names: attest_artifact, get_public_key, verify_attestation.

Use Cases

• Sign software releases with formally verified post-quantum cryptography
• Create proof-carrying attestation certificates with Lean 4 verified acceptance kernels
• Verify file integrity with NIST-standardized ML-DSA-65 digital signatures and PQClean runtimes
• Generate compliance evidence for SOC 2 SOX HIPAA and regulatory audits with cryptographic proof chains
• Timestamp and cryptographically attest intellectual property artifacts with tamper-evident CAB bundles
• Verify software supply chain integrity with 4-check verification pipeline
• Issue verifiable certificates for code repositories and release archives backed by formal proofs
• Provide independent verification keys for third-party auditors and partners
• Create provenance records for AI model weights and training data with quantum-safe signatures
• Attest firmware images and embedded software updates with hardware-backed signing
• Notarize documents with post-quantum signatures backed by information-theoretic security foundations
• Sign configuration files and infrastructure-as-code with formally verified cryptographic protocol stack

Related Product Skills

• File Management: ../file-management (ClawHub: file-management, page: https://clawhub.ai/agentpmt/file-management; skills.sh: npx skills add AgentPMT/agent-skills --skill file-management)

Categories And Industries

No categories or industry tags are published for this tool.

Actions And Schema

Complete generated action schema: ./schema.md. Supported action count: 3. x402 availability: not enabled for this product.

• attest_artifact (action slug: attest-artifact): Create a post-quantum cryptographic attestation for a file in storage. Signs with ML-DSA-65 via hardware security module. Saves the attestation package to file storage and returns its file_id. Price: 25 credits. Parameters: artifact_name, file_id, metadata.
• get_public_key (action slug: get-public-key): Return the signer's public key, algorithm, and fingerprint so independent verifiers can confirm attestation signatures without calling this tool. Price: 5 credits. Parameters: none.
• verify_attestation (action slug: verify-attestation): Verify a previously issued attestation package against the original artifact. Both the artifact and the attestation package must be in file storage. Checks ML-DSA-65 signature, manifest integrity, artifact SHA-256 match, and CAB bundle. Price: 5 credits. Parameters: attestation_file_id, check_bundle, file_id.

Live Schema And Examples

Use the compact schema above for ordinary calls. Before a new production integration, or whenever parameters, enum values, nested objects, outputs, or examples are unclear, fetch live details first.

• Exact schema: call agentpmt-tool-search-and-execution with action: "get_schema", and tool_id: "quantum-safe-file-attestation".
• Detailed examples: call agentpmt-tool-search-and-execution with action: "get_instructions" and tool_id: "quantum-safe-file-attestation", or call this product with action: "get_instructions" when the product tool is already selected.
• Treat returned live schema and instructions as more specific than this generated summary.

MCP schema lookup through the main AgentPMT MCP server:

{
  "method": "tools/call",
  "params": {
    "name": "AgentPMT-Tool-Search-and-Execution",
    "arguments": {
      "action": "get_schema",
      "tool_id": "quantum-safe-file-attestation"
    }
  }
}

For live examples, keep the same MCP tool and use these arguments:

{
  "action": "get_instructions",
  "tool_id": "quantum-safe-file-attestation"
}

Authenticated AgentPMT REST schema lookup body:

{
  "name": "agentpmt-tool-search-and-execution",
  "parameters": {
    "action": "get_schema",
    "tool_id": "quantum-safe-file-attestation"
  }
}

Authenticated AgentPMT REST live examples body:

{
  "name": "agentpmt-tool-search-and-execution",
  "parameters": {
    "action": "get_instructions",
    "tool_id": "quantum-safe-file-attestation"
  }
}

Call This Tool

Product slug: quantum-safe-file-attestation

Marketplace page: https://www.agentpmt.com/marketplace/quantum-safe-file-attestation

• AgentPMT account route: first use ../agentpmt-account-mcp-rest-api-setup to connect the main MCP server or REST API for an Agent Group where this tool is enabled.
• x402 route: not enabled for this product.
• AgentPMT overview: use ../what-is-agentpmt for marketplace, Agent Group, workflow, MCP, REST, and payment concepts.

If those setup skills are not installed beside this product skill, use the downloads below.

Core AgentPMT setup skills:

• What AgentPMT is: ../what-is-agentpmt
  • ClawHub page: https://clawhub.ai/agentpmt/what-is-agentpmt
  • OpenClaw install: openclaw skills install what-is-agentpmt
  • skills.sh install: npx skills add AgentPMT/agent-skills --skill what-is-agentpmt
• AgentPMT account MCP/REST setup: ../agentpmt-account-mcp-rest-api-setup
  • ClawHub page: https://clawhub.ai/agentpmt/agentpmt-account-mcp-rest-api-setup
  • OpenClaw install: openclaw skills install agentpmt-account-mcp-rest-api-setup
  • skills.sh install: npx skills add AgentPMT/agent-skills --skill agentpmt-account-mcp-rest-api-setup

skills.sh install script:

npx skills add AgentPMT/agent-skills --skill what-is-agentpmt
npx skills add AgentPMT/agent-skills --skill agentpmt-account-mcp-rest-api-setup

MCP call shape after the main AgentPMT MCP server is connected:

{
  "method": "tools/call",
  "params": {
    "name": "Quantum-Safe-File-Attestation",
    "arguments": {
      "action": "attest_artifact",
      "artifact_name": "example artifact name",
      "file_id": "example file id",
      "metadata": {}
    }
  }
}

Use the exact tool name returned by tools/list; the name above is the expected readable form.

Authenticated AgentPMT REST call body:

{
  "name": "quantum-safe-file-attestation",
  "parameters": {
    "action": "attest_artifact",
    "artifact_name": "example artifact name",
    "file_id": "example file id",
    "metadata": {}
  }
}

Use the setup skill for the account connection details before making REST calls.

Response Handling

• Treat the returned JSON as the source of truth for this tool call.
• If the response includes warnings or correction targets, apply them before retrying.
• If the response includes a passed or success-style boolean, use it as the workflow gate.
• If validation fails or the response shape is unclear, call get_schema or get_instructions before retrying.
• If attest_artifact fails, preserve the request parameters and retry only after fixing schema, auth, or payment errors.

Security

• Do not place account secrets, wallet private keys, mnemonics, signatures, or payment headers in prompts or logs.
• Keep tool inputs scoped to the minimum content needed for the task.
• Use the setup skills for credential handling; this product skill only defines product-specific behavior.

AgentPMT Reference

• What AgentPMT is: ../what-is-agentpmt (ClawHub: what-is-agentpmt, page: https://clawhub.ai/agentpmt/what-is-agentpmt; skills.sh: npx skills add AgentPMT/agent-skills --skill what-is-agentpmt)
• AgentPMT account MCP/REST setup: ../agentpmt-account-mcp-rest-api-setup (ClawHub: agentpmt-account-mcp-rest-api-setup, page: https://clawhub.ai/agentpmt/agentpmt-account-mcp-rest-api-setup; skills.sh: npx skills add AgentPMT/agent-skills --skill agentpmt-account-mcp-rest-api-setup)
• Marketplace product: https://www.agentpmt.com/marketplace/quantum-safe-file-attestation
• AgentPMT main MCP server: https://api.agentpmt.com/mcp/
• AgentPMT REST invoke endpoint: https://api.agentpmt.com/products/purchase