Verify our claims
Trust you cannot check is just branding. This page shows how to verify the platform's claims yourself, rather than taking them on faith.
Verify a signed audit export
The audit log is append-only and hash-chained, and an export can be signed. To check one:
- Export the audit log from the Compliance area of the console. The export is a line-delimited file; the final line carries the signature, the digest it covers, and the identifier of the signing key.
- Fetch the platform's audit public key from its published verification endpoint.
- Recompute the digest over the export's content lines and check the signature against the public key.
If the signature verifies, the export is exactly what the platform produced — no line added, removed or altered. If any record had been tampered with, the hash-chain check inside the export would point to the first broken link.
Inspect the live trust material
Open the Trust Center in the console. Everything there is read live from the running system at request time:
- Confirm that root and targets are marked offline, and check each role's key identifiers, threshold and expiry.
- Inspect the device certificate authority — its subject, SHA-256 fingerprint, validity and chain.
Because these values are recomputed on each request, a screenshot is a point-in- time proof you can keep alongside a security questionnaire.
Confirm the update anchor on a device
Each device is provisioned with the update root metadata as its pinned trust anchor. You can read that anchor on the device and compare its key identifiers against what the Trust Center shows for the root role. They match because the device verifies every update against exactly this anchor — not against the server it downloaded from.
The point
None of this requires trusting Meshanics. The audit export is checkable against a published key; the trust material is computed, not asserted; and the device's anchor is yours to inspect. That is what "zero-trust" is supposed to mean.