ACF
acfstandard.io
Developer docs
FR
Signatures

Verify in Go

Verify the Ed25519 signature of an acf-mcp output in Go using only the standard library — crypto/ed25519 and crypto/x509. No external dependency.

iNote
Zero Go modules dependency. crypto/ed25519 is in the stdlib since Go 1.13. Build with go build -trimpath for a reproducible binary usable in CI or as an audit CLI tool.

Complete snippet

verify_doctrine.gogo
package main

import (
	"crypto/ed25519"
	"crypto/x509"
	"encoding/base64"
	"encoding/json"
	"fmt"
	"os"
	"strings"
)

const publicKeySPKIB64 = "MCowBQYDK2VwAyEAojtKfh20SGGV63LMETjZBXRWo2tY0viAYziG/y3/L0s="

type Signed struct {
	DoctrineHash      string `json:"doctrine_hash"`
	DoctrineSignature string `json:"doctrine_signature"`
}

func main() {
	// 1. Decode the SPKI public key.
	spki, err := base64.StdEncoding.DecodeString(publicKeySPKIB64)
	if err != nil {
		fmt.Println("invalid public key encoding:", err)
		os.Exit(1)
	}
	pubAny, err := x509.ParsePKIXPublicKey(spki)
	if err != nil {
		fmt.Println("cannot parse public key:", err)
		os.Exit(1)
	}
	pub, ok := pubAny.(ed25519.PublicKey)
	if !ok {
		fmt.Println("public key is not Ed25519")
		os.Exit(1)
	}

	// 2. Load the signed tool output.
	bytesIn, err := os.ReadFile("tool-output.json")
	if err != nil {
		fmt.Println("cannot read tool output:", err)
		os.Exit(1)
	}
	var signed Signed
	if err := json.Unmarshal(bytesIn, &signed); err != nil {
		fmt.Println("cannot parse tool output:", err)
		os.Exit(1)
	}

	// 3. Recompute the signed message.
	message := []byte(signed.DoctrineHash)

	// 4. Decode the signature (strip "ed25519:" prefix, base64-decode).
	sigB64 := strings.TrimPrefix(signed.DoctrineSignature, "ed25519:")
	signature, err := base64.StdEncoding.DecodeString(sigB64)
	if err != nil {
		fmt.Println("invalid signature encoding:", err)
		os.Exit(1)
	}

	// 5. Verify.
	if ed25519.Verify(pub, message, signature) {
		fmt.Println("✓ signature valid")
	} else {
		fmt.Println("✗ signature INVALID")
		os.Exit(1)
	}
}

Package it as a CLI

build.shbash
go build -trimpath -ldflags="-s -w" -o acf-verify ./verify_doctrine.go
# Use:
./acf-verify  # reads ./tool-output.json
echo "exit=$?"

Failure modes

  • signature INVALID + exit 1 — content tampered with or wrong public key. Re-run the output end to end.
  • public key is not Ed25519 the SPKI string does not encode an Ed25519 key. Check the acf-mcp version and the copy of the key.
  • cannot parse public key the base64 is not valid DER. Check that no newline was inserted.