Verifier Bundle / EU AI Act / v1.0

Sovrient EU AI Act Verifier Bundle

A signed, replay-verifiable agent-output artifact for a bounded evidence bundle over Article 113 and Annex III.

Boundary notice: This artifact verifies the integrity and replayability of the included evidence bundle and its claim boundaries. It is not legal advice, an EU AI Act compliance determination, a conformity assessment under the EU AI Act or any national implementing measure, an official benchmark score, or a substitute for counsel, regulators, or conformity assessment bodies.

Downloads

Digest Surface

source twin: sha256:6b9164ebffdbd788cfebfc074d75c7eb82b02efaa340b10c4f7439b3636e9bf9

Source twin means the digest of the published Sovrient EU AI Act v1.0 standards twin used as the source substrate for this bundle.

archive: 67eb9e44766e296bf97a80eea4f28c878eeea65eb2d0274f7564974fa8c48e77

manifest: sha256:0f12848f9ed6f70392ec51a9531ac3782df7f6a6bb138aaca410c02149b25870

verify report: sha256:c9437298367448e82bca2b9db858e1dd675a79a0f40090d6cea7eb292933fb6d

signer: GPG 231DF589D89C25FAD7A8E8E685F9BA1E0016C226

Signer identity: this fingerprint is the Sovrient EU AI Act Verifier release key for this bundle. See KEY_POLICY for trust and rotation details.

Verify

Requires Python 3.11+, pip, gpg, curl, sha256sum, and an ai-act-agent checkout with ai-act-skills checked out as a sibling directory. Review the full key fingerprint against an out-of-band source before relying on the signature.

After importing the signer's public key, run from the ai-act-agent checkout:

gpg --keyserver hkps://keys.openpgp.org \
  --recv-keys 231DF589D89C25FAD7A8E8E685F9BA1E0016C226
python3 -m pip install -r requirements-dev.txt
curl -O https://www.sovrient.com/standards/eu/ai-act/1.0/verifier/ai-act-article-113-annex-iii-33aeab7.tar.gz
curl -O https://www.sovrient.com/standards/eu/ai-act/1.0/verifier/ai-act-article-113-annex-iii-33aeab7.tar.gz.sha256
sha256sum -c ai-act-article-113-annex-iii-33aeab7.tar.gz.sha256
tar -xzf ai-act-article-113-annex-iii-33aeab7.tar.gz
gpg --verify ai-act-article-113-annex-iii-33aeab7/manifest.json.sig \
  ai-act-article-113-annex-iii-33aeab7/manifest.json
python3 -m ai_act_agent.cli verify ai-act-article-113-annex-iii-33aeab7 \
  --require-eval \
  --require-signature

The expected result is PASS with all replay checks true and empty check_reasons.

{
  "result": "PASS",
  "manifest_digest": "sha256:0f12848f9ed6f70392ec51a9531ac3782df7f6a6bb138aaca410c02149b25870",
  "report_digest": "sha256:c9437298367448e82bca2b9db858e1dd675a79a0f40090d6cea7eb292933fb6d",
  "check_reasons": {}
}

Replay Scope

The verifier replays file sidecars, canonical digests, source-twin membership, evidence-bundle digest construction, citation validation, synthesis validation, graph consistency, manifest consistency, eval report replay, and the detached GPG signature over the manifest.

Those checks group into integrity checks over bytes and canonical digests, evidentiary checks over cited source membership and validation predicates, and authenticity checks over the detached manifest signature.

What This Proves

A passing strict verification proves that the downloaded bundle bytes match their sidecars, the manifest and graph digests replay, cited evidence resolves against the published EU AI Act v1.0 source twin, validation predicates pass, the eval report replays, and the manifest signature verifies against the named release key.

It does not prove that a system is compliant with the EU AI Act, that a conformity assessment has occurred, that regulators endorse the result, or that the bundle is an official benchmark score.