# Verifying attestations After requesting a signed attestation, it can be used to verify against a set of PCRs to check whether it matches those of the enclave image built from the intended codebase. Additionally, the attestation should be signed by the right root key. DeepWorm uses Marlin's [ZK verifier](https://github.com/marlinprotocol/NitroProver) to verify attestations before it allows an enclave key to be registered on its contract. Users can also verify attestations themselves using the oyster-verifier tool which can be obtained from the links below: ``` Linux (amd64) - https://artifacts.marlin.org/oyster/binaries/verifier_6e1f6f06_linux_amd64 Linux (arm64) - https://artifacts.marlin.org/oyster/binaries/verifier_6e1f6f06_linux_arm64 Mac (amd64) - https://artifacts.marlin.org/oyster/binaries/verifier_6e1f6f06_darwin_amd64 Mac (arm64) - https://artifacts.marlin.org/oyster/binaries/verifier_6e1f6f06_darwin_arm64 ``` oyster-verifier can also be built from code using: ``` $ git clone https://github.com/marlinprotocol/oyster-monorepo $ cd oyster-monorepo/sdks/rs $ cargo build --release ``` Once installed, extract the PCR values and root key by using the following command: ``` $ ./verifier --endpoint http:///attestation/raw # The enclave_domain is available in the Contracts & IP Addresses section under the heading "WORM Brain Coprocessor". ``` The output should look something like: ``` verification successful: AttestationDecoded { timestamp: 1735045632258, pcrs: [[155, 69, 7, 32, 48, 171, 41, 104, 63, 71, 153, 67, 40, 240, 169, 212, 49, 45, 229, 3, 76, 164, 252, 150, 235, 170, 223, 199, 166, 50, 169, 56, 239, 188, 3, 72, 241, 189, 243 , 229, 60, 130, 95, 133, 43, 9, 235, 134], [60, 157, 48, 63, 137, 133, 110, 195, 65, 9, 19, 56, 28, 50, 131, 80, 195, 45, 20, 210, 248, 106, 43, 74, 119, 135, 153, 139, 214, 215, 109, 143, 96, 252, 136, 254, 160, 148, 191, 90, 2, 178, 194, 223, 27, 122, 216, 50], [169, 62, 110, 65, 215, 188, 17, 195, 120, 32, 167, 76, 171, 28, 248, 146, 172, 221, 2, 190, 244, 15, 70, 34, 218, 30, 16, 60, 251, 145, 150, 177, 149, 166, 42, 54, 122, 252, 18, 41, 103, 226, 101, 235, 152, 80, 225, 86]], root_public_key: [2 52, 2, 84, 235, 166, 8, 193, 243, 104, 112, 226, 154, 218, 144, 190, 70, 56, 50, 146, 115, 110, 137, 75, 255, 246, 114, 217, 137, 68, 75, 80, 81, 229, 52, 164, 177, 246, 219, 227, 192, 188, 88, 26, 50, 183, 177, 118, 7, 14, 222, 18, 214, 154, 63, 234, 3 3, 27, 102, 231, 82, 207, 125, 209, 221, 9, 95, 111, 19, 112, 244, 23, 8, 67, 217, 220, 16, 1, 33, 228, 207, 99, 1, 40, 9, 102, 68, 135, 201, 121, 98, 132, 48, 77, 197, 63, 244], public_key: [194, 58, 170, 237, 155, 126, 83, 158, 127, 162, 151, 158, 80, 225, 59, 3, 186, 202, 149, 26, 25, 19, 151, 73, 99, 96, 175, 168, 78, 157, 154, 96, 144, 72, 161, 240, 250, 131, 152, 165, 139, 127, 59, 187, 157, 61, 43, 227, 141, 77, 192, 194, 254, 106, 86, 126, 35, 158, 128, 45, 110, 239, 113, 0] } pcr0: 9b45072030ab29683f47994328f0a9d4312de5034ca4fc96ebaadfc7a632a938efbc0348f1bdf3e53c825f852b09eb86 pcr1: 3c9d303f89856ec3410913381c328350c32d14d2f86a2b4a7787998bd6d76d8f60fc88fea094bf5a02b2c2df1b7ad832 pcr2: a93e6e41d7bc11c37820a74cab1cf892acdd02bef40f4622da1e103cfb9196b195a62a367afc122967e265eb9850e156 root pubkey: fc0254eba608c1f36870e29ada90be46383292736e894bfff672d989444b5051e534a4b1f6dbe3c0bc581a32b7b176070ede12d69a3fea211b66e752cf7dd1dd095f6f1370f4170843d9dc100121e4cf63012809664487c9796284304dc53ff4 enclave pubkey: c23aaaed9b7e539e7fa2979e50e13b03baca951a191397496360afa84e9d9a609048a1f0fa8398a58b7f3bbb9d3d2be38d4dc0c2fe6a567e239e802d6eef7100 ``` These values can then be matched against the expected PCRs of the DeepWorm enclave posted at . The root key should match AWS's root key which can be extracted from AWS' root certificate using the following: * Download and unzip * It contains a file named root.pem. Execute the following command: ``` $ openssl x509 -in root.pem -noout -text ``` * The root key can be found next the field with the heading \`pub\` ``` Certificate: Data: Version: 3 (0x2) Serial Number: f9:31:75:68:1b:90:af:e1:1d:46:cc:b4:e4:e7:f8:56 Signature Algorithm: ecdsa-with-SHA384 Issuer: C = US, O = Amazon, OU = AWS, CN = aws.nitro-enclaves Validity Not Before: Oct 28 13:28:05 2019 GMT Not After : Oct 28 14:28:05 2049 GMT Subject: C = US, O = Amazon, OU = AWS, CN = aws.nitro-enclaves Subject Public Key Info: Public Key Algorithm: id-ecPublicKey Public-Key: (384 bit) pub: 04:fc:02:54:eb:a6:08:c1:f3:68:70:e2:9a:da:90: be:46:38:32:92:73:6e:89:4b:ff:f6:72:d9:89:44: 4b:50:51:e5:34:a4:b1:f6:db:e3:c0:bc:58:1a:32: b7:b1:76:07:0e:de:12:d6:9a:3f:ea:21:1b:66:e7: 52:cf:7d:d1:dd:09:5f:6f:13:70:f4:17:08:43:d9: dc:10:01:21:e4:cf:63:01:28:09:66:44:87:c9:79: 62:84:30:4d:c5:3f:f4 ASN1 OID: secp384r1 NIST CURVE: P-384 X509v3 extensions: X509v3 Basic Constraints: critical CA:TRUE X509v3 Subject Key Identifier: 90:25:B5:0D:D9:05:47:E7:96:C3:96:FA:72:9D:CF:99:A9:DF:4B:96 X509v3 Key Usage: critical Digital Signature, Certificate Sign, CRL Sign Signature Algorithm: ecdsa-with-SHA384 Signature Value: 30:66:02:31:00:a3:7f:2f:91:a1:c9:bd:5e:e7:b8:62:7c:16: 98:d2:55:03:8e:1f:03:43:f9:5b:63:a9:62:8c:3d:39:80:95: 45:a1:1e:bc:bf:2e:3b:55:d8:ae:ee:71:b4:c3:d6:ad:f3:02: 31:00:a2:f3:9b:16:05:b2:70:28:a5:dd:4b:a0:69:b5:01:6e: 65:b4:fb:de:8f:e0:06:1d:6a:53:19:7f:9c:da:f5:d9:43:bc: 61:fc:2b:eb:03:cb:6f:ee:8d:23:02:f3:df:f6 ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.deepworm.xyz/deepworm/developer-guides/verifying-attestations.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.