LatticeScan

Integrity

Verify a report

Every cryptographic inventory (CBOM) that LatticeScan generates is signed, so anyone who receives one can confirm it came from LatticeScan and has not been altered. The signature is ML-DSA-65 (NIST FIPS 204), the post-quantum digital signature standard. We sign our own assessments with the cryptography we help others adopt.

The public key

The signing key is published at latticescan.com/latticescan-signing-key.pem, key id 0a072a1bfe103179. The matching private key exists only in LatticeScan’s server environment. It is never in the website code and never in the downloadable scanner, so no one else can produce a report that verifies against this key.

Verify a signature

Download a report’s CBOM and the public key, then run this. It recomputes the signed bytes and checks them against the signature. No dependencies; Node 24 or newer.

import { createPublicKey, verify } from 'node:crypto';
import { readFileSync } from 'node:fs';

// deterministic JSON: sort object keys, keep array order, drop undefined, no whitespace
function canonicalize(v) {
  if (Array.isArray(v)) return '[' + v.map(canonicalize).join(',') + ']';
  if (v && typeof v === 'object')
    return '{' + Object.keys(v).filter(k => v[k] !== undefined).sort()
      .map(k => JSON.stringify(k) + ':' + canonicalize(v[k])).join(',') + '}';
  return JSON.stringify(v);
}

const doc = JSON.parse(readFileSync('example.com-cbom.json', 'utf8'));
const key = createPublicKey(readFileSync('latticescan-signing-key.pem'));
const { signature, ...rest } = doc;                       // sign covers everything but this member
const ok = verify(null, Buffer.from(canonicalize(rest)),
                  key, Buffer.from(signature.value, 'base64'));
console.log(ok ? 'genuine and unmodified' : 'INVALID');

The signature block records the algorithm, key id, public key location, and the exact canonicalization used, so the check is reproducible by anyone without our involvement.

What the signature proves

A valid signature means the report was produced by LatticeScan and has not been changed by so much as one character since. A failed check means the file was altered or did not come from us. This is what stops anyone from forging a LatticeScan assessment or editing a grade.

The internal scanner

The internal scanner runs on your own machine and holds no private key, by design: nothing leaves your environment, so it cannot sign your individual results. Instead it carries a fixed provenance signature, under the same key, that certifies the tool and its output format are authentic LatticeScan software. Its CBOM includes the signed statement and the public key, so you can verify the tool’s origin offline.