tresor-verify is the Go CLI that wraps the same verifier logic as the tresor-attest SDKs but runs as a one-shot command. It is the right tool when you don't want to take on a runtime dependency — for example in CI pipelines, ad-hoc audits, or non-supported language stacks.
go install github.com/tresorhq/zero/receipts/cmd/tresor-verify@latest
A pre-built binary release is also published on the releases page.
Confirm the API endpoint is the audited Tresor router running inside an AMD SEV-SNP enclave:
tresor-verify attest \
--url https://api.tresor.co \
--release-root ./release-root.pub
PASS
TLS SPKI SHA-256: 9b8c…
SNP MEASUREMENT: 0e3b…
Workload identity tag: a1b2…
Trust bundle version: 17 (valid until 2026-05-01T00:00:00Z)
Add --json for machine-readable output, e.g. to compare against a previously recorded pin in CI.
| Flag | Purpose |
|---|---|
--url | Endpoint to verify (default: https://api.tresor.co). |
--release-root | Path to the release-root public key (PEM or raw 32-byte Ed25519). |
--json | Emit a structured JSON result. |
--max-age | Override the envelope cache TTL. |
The exit code is non-zero on any verification failure, so it composes naturally with shell scripts and CI step exit gating.
Pipe the authenticated receipt response directly into the CLI:
curl -s https://api.tresor.co/v1/receipts/7c9e6679-7425-40de-944b-e07fc1f90ae7 \
-H "Authorization: Bearer $TRESOR_API_KEY" \
| tresor-verify receipt \
--jwks-url https://api.tresor.co/.well-known/jwks.json \
-
PASS
Receipt type: message
Key ID: router-receipt-1
If you prefer a file-based flow, save the API response first and verify it later:
curl -s https://api.tresor.co/v1/receipts/7c9e6679-7425-40de-944b-e07fc1f90ae7 \
-H "Authorization: Bearer $TRESOR_API_KEY" \
> receipt.json
tresor-verify receipt \
--jwks-url https://api.tresor.co/.well-known/jwks.json \
receipt.json
tresor-verify receipt accepts the full API response shape ({ id, receipt }), the canonical { jws, payload? } envelope, or a bare compact JWS string.
tresor-attest SDK — programmatic equivalent for Python / Node / Go