Locked & verifiable.
A pre-registered claim, anchored to a SHA-256 hash before the run. Anyone can re-derive it from the canonical bytes below.
6d85e0c3d3af446733f8777449f3ff617889dba99a04f7f27c73be763dedf98cversion: "prml/0.1" claim_id: "01971234-0000-7200-8002-000000000002" created_at: "2026-05-15T18:55:00Z" metric: "external_contributor_count" metric_args: resolve_at: "2026-05-22T23:59:00Z" source: "github.com/studio-11-co/falsify issues+PRs with label rfc-v0.2, excluding author sk8ordie84 and studio-11-co members" comparator: ">=" threshold: 3 dataset: id: "prml-v0.2-rfc-text" hash: "60b15080d0cc5882ca33047fa1374426e9bd11bb4b63adb606d4d60f9b0a3dff" uri: "https://github.com/studio-11-co…Note (2026-07-11): records committed before this date stored only a 500-byte preview, so this page cannot prove the full manifest. Re-verify offline against the original file.
[](https://registry.falsify.dev/6d85e0c3d3af446733f8777449f3ff617889dba99a04f7f27c73be763dedf98c)- uses: studio-11-co/prml-verify-action@v2
with:
mode: verdict
expected-hash: 6d85e0c3d3af446733f8777449f3ff617889dba99a04f7f27c73be763dedf98cgithub.com/studio-11-co/prml-verify-action →Verify this hash yourself
Paste your manifest YAML. The canonical hash must match 6d85e0c3d3af…. This runs the registry's own canonicalization module (canonical.js) in your browser; for verification that does not trust this registry at all, use any of the four reference implementations offline.
Verify the independent timestamp (RFC 3161, offline)
The token countersigns this manifest hash with the timestamp authority's key, so the time claim no longer rests on this registry. Verify with OpenSSL 3 (LibreSSL, the macOS default, cannot check the ESS extension):
curl -sO https://registry.falsify.dev/6d85e0c3d3af446733f8777449f3ff617889dba99a04f7f27c73be763dedf98c.tsr
curl -s https://timestamp.sigstore.dev/api/v1/timestamp/certchain -o chain.pem
awk 'split_after==1{n++;split_after=0} /END CERTIFICATE/{split_after=1} {print > ("tsa-" n ".pem")}' n=0 chain.pem
openssl ts -verify -digest 6d85e0c3d3af446733f8777449f3ff617889dba99a04f7f27c73be763dedf98c \
-in 6d85e0c3d3af.tsr -CAfile tsa-1.pem -untrusted tsa-0.pem
Expected output: Verification: OK.
What this receipt proves — and what it does not
- Proves: these manifest bytes hashed to this SHA-256, and the registry attests (Ed25519 signature over hash + timestamp, key at /pubkey) that it saw the hash at the recorded time.
- Timestamp: where an RFC 3161 token is present (the "Independent timestamp" row above), the time claim is countersigned by a public timestamp authority and verifiable offline; backdating it would require compromising that authority, not just this registry. Records without a token rest on the registry's clock alone until anchored. Transparency-log (Rekor) inclusion is still planned — see registry limitations.
- Does not prove: the claimed result. A PRML receipt proves the bar was locked before the run — never that the result is good.
- The signature covers hash + timestamp only, not the submitted handle. There is no key-rotation story yet; the current key id is served at /pubkey.
PRML v0.2 is a frozen RFC (comment window closed 2026-05-22) — spec.falsify.dev/v0.2-rfc. Editor: spec.falsify.dev/editor.