Every Vertifile document is bound to its content by a SHA-256 hash and dual-signed with Ed25519 and HMAC-SHA256. Anyone can verify a document against our published public key — no account, no API, no trust in us required.
Four properties protect every document. None of them depend on Vertifile staying online.
We sign the SHA-256 hash of the document content together with the issuing organization, timestamp, and recipient binding in one canonical payload. Change a single byte and both signatures break.
Each document carries an HMAC-SHA256 tag and an Ed25519 signature over the same payload. The Ed25519 signature is verifiable by anyone using our published public key — the HMAC is for our own API.
With Blind mode, your document is encrypted in your browser before it ever leaves your device. We store only a hash and an obfuscated rendering — we cannot read the content, and we cannot reconstruct it.
Document hashes are anchored on the Polygon blockchain, giving each protected document an independent, public timestamp that no one — including Vertifile — can backdate or rewrite.
Ed25519 (RFC 8032) is the same primitive used by OpenSSH, Signal, WireGuard, and age. No custom crypto, no hand-rolled primitives — just well-reviewed, patent-free building blocks.
The PVF container uses the IANA-registered media type application/vnd.vertifile.pvf, and the core signing mechanism is the subject of a pending patent in Israel.
Our Ed25519 public key is published openly. A third party with no relationship to Vertifile can fetch it, reconstruct the signed payload from a document's embedded metadata, and verify the signature in about ten lines of code. If Vertifile disappeared tomorrow, every document already issued would still verify.
/.well-known/vertifile-pubkey.pem and confirm its fingerprint against our published Security policy.openssl, Node, or Python — no Vertifile API and no account needed.If you believe you have found a way to forge a signature, bypass verification, extract a key, or break any guarantee we make, we want to hear from you. Email security@vertifile.com with steps to reproduce and we will respond.
Our machine-readable policy follows RFC 9116 and is published at /.well-known/security.txt.