opena2a verify
Binary integrity verification against the OpenA2A Trust Registry.
Usage
opena2a verify [options]Description
Compares SHA-256 hashes of locally installed OpenA2A packages against the Trust Registry at api.oa2a.org. Checks trust profiles, oracle signatures (Ed25519), and dependency risk counts.
Options
| Flag | Description |
|---|---|
--package <name> | Verify a specific package instead of all. |
--registry-url <url> | Registry URL. Default: https://api.oa2a.org |
--format <text|json> | Output format. |
--ci | CI mode. |
--verbose | Verbose output. |
Verifiable Packages
hackmyagent secretless-ai aibrowserguard ai-trust
Verification Checks
- SHA-256 hash comparison against registry records
- Trust profile: score (0-100), verdict (trusted / caution / untrusted)
- Oracle signature verification (Ed25519)
- Dependency risk count
Examples
# Verify all installed packages
opena2a verify# Verify a specific package
opena2a verify --package hackmyagent# CI pipeline with custom registry
opena2a verify --ci --format json --registry-url https://registry.internal.comExpected Output
$ opena2a verify Package Integrity Verification =============================== Registry: https://api.oa2a.org hackmyagent@0.10.5 SHA-256: MATCH (a3f8c1...d92e4b) Trust: 92/100 (trusted) Oracle: Signed (Ed25519 verified) Dep Risk: 0 known vulnerabilities secretless-ai@0.11.4 SHA-256: MATCH (b7d2e9...f14a8c) Trust: 88/100 (trusted) Oracle: Signed (Ed25519 verified) Dep Risk: 0 known vulnerabilities aibrowserguard@1.2.0 SHA-256: MATCH (c9e4f2...a83b7d) Trust: 85/100 (trusted) Oracle: Signed (Ed25519 verified) Dep Risk: 1 low-severity issue ai-trust@0.3.1 SHA-256: MATCH (d1a7b3...c52e9f) Trust: 90/100 (trusted) Oracle: Signed (Ed25519 verified) Dep Risk: 0 known vulnerabilities Result: 4/4 packages verified
How It Works
The verify command performs four checks for each installed package:
- Hash comparison -- Computes the SHA-256 hash of the locally installed package and compares it against the hash recorded in the Trust Registry at api.oa2a.org.
- Trust profile lookup -- Retrieves the trust score (0-100) and verdict (trusted, caution, or untrusted) from the registry.
- Oracle signature -- Validates the Ed25519 digital signature attached to the registry record to confirm the data has not been tampered with.
- Dependency risk -- Reports the count of known vulnerabilities in the package dependency tree.
Common Workflows
# Verify after installing a new package
npm install hackmyagent opena2a verify --package hackmyagent
# CI pipeline verification step
npx opena2a-cli verify --ci --format json > verify-report.json jq -e '.allVerified == true' verify-report.json
Error Handling
If a package hash does not match the registry record, the command reports a MISMATCH warning and exits with code 1 in CI mode. When the registry is unreachable, the command reports a connectivity error but does not fail -- it notes that verification could not be completed. If a specified package is not installed locally, the command reports it as not found and skips verification for that package.