npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

@tinfoilsh/verifier

v1.1.3

Published

AMD SEV-SNP attestation verifier for Node.js and browsers

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

sachaservansachaservan

Keywords

attestationamdsev-snpverifier

Readme

@tinfoilsh/verifier

Browser-compatible TypeScript library for verifying AMD SEV-SNP attestation reports and Sigstore code provenance.

When to Use This Package

Most users should use the main tinfoil package instead. It includes this verifier and handles verification automatically.

Use @tinfoilsh/verifier directly when you need:

  • Standalone verification — Verify enclaves without making API requests
  • Custom verification flows — Verify before creating clients, or verify arbitrary enclaves
  • Lighter dependency — If you only need verification, not the full SDK
  • Audit/compliance tooling — Build tools that verify enclaves independently

Installation

npm install @tinfoilsh/verifier

Quick Start

import { Verifier } from '@tinfoilsh/verifier';

const verifier = new Verifier({
  serverURL: 'https://enclave.example.com',
  configRepo: 'tinfoilsh/confidential-model-router',
});
const attestation = await verifier.verify();

console.log(attestation.measurement);
console.log(attestation.tlsPublicKeyFingerprint);
console.log(attestation.hpkePublicKey);

Verifying a Pre-Fetched Bundle

If you already have a complete attestation bundle (for example, fetched via the tinfoil SDK's fetchAttestationBundle() helper), you can verify it directly:

import { Verifier } from '@tinfoilsh/verifier';
import type { AttestationBundle } from '@tinfoilsh/verifier';

const verifier = new Verifier({
  configRepo: 'tinfoilsh/confidential-model-router',
});

const bundle: AttestationBundle = /* fetch bundle from your source */;
await verifier.verifyBundle(bundle);

const doc = verifier.getVerificationDocument();
console.log(doc.securityVerified);

Error Handling

For callers that want structured error handling, these error classes are part of the public API:

  • ConfigurationError — client misconfigured (e.g., missing required options)
  • FetchError — network or HTTP errors when fetching attestation material
  • AttestationError — attestation verification failed (parsing, signatures, certificates, measurement mismatch, policy violation)

Inspecting Verification Results

The verification document contains detailed information about each step:

const doc = verifier.getVerificationDocument();

// Overall result
console.log(doc.securityVerified); // true if all checks passed

// Individual steps
console.log(doc.steps.fetchDigest);       // Fetched release digest from GitHub
console.log(doc.steps.verifyCode);        // Verified code via Sigstore
console.log(doc.steps.verifyEnclave);     // Verified AMD SEV-SNP attestation
console.log(doc.steps.compareMeasurements); // Compared code vs enclave measurements

// Measurements
console.log(doc.codeFingerprint);     // Expected measurement from signed release
console.log(doc.enclaveFingerprint);  // Actual measurement from enclave

What Gets Verified

The Verifier performs a multi-step verification:

  1. Fetch Release Digest — Gets the expected code digest from the signed GitHub release
  2. Verify Code Provenance — Uses Sigstore (Fulcio + Rekor) to verify the release signature
  3. Verify Enclave Attestation — Validates the AMD SEV-SNP attestation report and VCEK certificate chain
  4. Compare Measurements — Ensures the enclave is running the exact code from the signed release

Features

  • AMD SEV-SNP attestation verification (VCEK certificate chain validation)
  • Sigstore code provenance verification (Fulcio + Rekor)
  • TUF-based trusted root updates
  • Works in Node.js and browsers (uses Web Crypto API)

GitHub Proxy Dependency

This package fetches GitHub release metadata and attestation bundles via Tinfoil-hosted GitHub proxy endpoints (to avoid rate-limits/CORS issues). If your environment cannot reach these endpoints, verification that depends on GitHub release attestations will fail.

Relationship to tinfoil Package

The main tinfoil package includes this verifier and uses it automatically:

// tinfoil package — verification happens automatically
import { TinfoilAI } from 'tinfoil';
const client = new TinfoilAI({ apiKey: 'key' });
// Verification runs when you make your first request

// You can also access the verification document
const doc = await client.getVerificationDocument();

Use @tinfoilsh/verifier directly only if you have specific needs listed in "When to Use This Package" above.

Learn More

Development

npm run build
npm test
npm run test:browser