Locked & verifiable.
A pre-registered claim, anchored to a SHA-256 hash before the run. Anyone can re-derive it from the canonical bytes below.
4b6a9194bb187b88b2c90e7d9b8081885a9c4453b5bd6b79b7445d026ce601ceversion: "prml/0.1" claim_id: "01971234-0000-7100-8001-000000000001" created_at: "2026-05-15T18:55:00Z" metric: "unique_producer_count" metric_args: resolve_at: "2026-06-15T23:59:59Z" source: "registry.falsify.dev KV — count of distinct producer.id values excluding falsify.dev and studio-11.co" comparator: ">=" threshold: 25 dataset: id: "prml-v0.1-spec" hash: "62a3e082fe357dd35ffec437fc5c7dc2daee5419b049200e0e8b6b274a23e49c" uri: "https://github.com/studio-11-co/falsify/blob/main/spec…Note (2026-07-11): records committed before this date stored only a 500-byte preview, so this page cannot prove the full manifest. Re-verify offline against the original file.
[](https://registry.falsify.dev/4b6a9194bb187b88b2c90e7d9b8081885a9c4453b5bd6b79b7445d026ce601ce)- uses: studio-11-co/prml-verify-action@v2
with:
mode: verdict
expected-hash: 4b6a9194bb187b88b2c90e7d9b8081885a9c4453b5bd6b79b7445d026ce601cegithub.com/studio-11-co/prml-verify-action →Verify this hash yourself
Paste your manifest YAML. The canonical hash must match 4b6a9194bb18…. This runs the registry's own canonicalization module (canonical.js) in your browser; for verification that does not trust this registry at all, use any of the four reference implementations offline.
Verify the independent timestamp (RFC 3161, offline)
The token countersigns this manifest hash with the timestamp authority's key, so the time claim no longer rests on this registry. Verify with OpenSSL 3 (LibreSSL, the macOS default, cannot check the ESS extension):
curl -sO https://registry.falsify.dev/4b6a9194bb187b88b2c90e7d9b8081885a9c4453b5bd6b79b7445d026ce601ce.tsr
curl -s https://timestamp.sigstore.dev/api/v1/timestamp/certchain -o chain.pem
awk 'split_after==1{n++;split_after=0} /END CERTIFICATE/{split_after=1} {print > ("tsa-" n ".pem")}' n=0 chain.pem
openssl ts -verify -digest 4b6a9194bb187b88b2c90e7d9b8081885a9c4453b5bd6b79b7445d026ce601ce \
-in 4b6a9194bb18.tsr -CAfile tsa-1.pem -untrusted tsa-0.pem
Expected output: Verification: OK.
What this receipt proves — and what it does not
- Proves: these manifest bytes hashed to this SHA-256, and the registry attests (Ed25519 signature over hash + timestamp, key at /pubkey) that it saw the hash at the recorded time.
- Timestamp: where an RFC 3161 token is present (the "Independent timestamp" row above), the time claim is countersigned by a public timestamp authority and verifiable offline; backdating it would require compromising that authority, not just this registry. Records without a token rest on the registry's clock alone until anchored. Transparency-log (Rekor) inclusion is still planned — see registry limitations.
- Does not prove: the claimed result. A PRML receipt proves the bar was locked before the run — never that the result is good.
- The signature covers hash + timestamp only, not the submitted handle. There is no key-rotation story yet; the current key id is served at /pubkey.
PRML v0.2 is a frozen RFC (comment window closed 2026-05-22) — spec.falsify.dev/v0.2-rfc. Editor: spec.falsify.dev/editor.