How Log Signing Works

MTC Skopos signs analysis result log files (.log) with Ed25519 digital signatures to provide tamper-proof evidence for auditors. Each log file includes a __signature__ section containing:

• SHA-256 checksum of the log content
• Ed25519 digital signature of the log content
• Key ID identifying which signing key was used

Download audit logs are also signed using the same mechanism, so all exported data maintains a verifiable chain of integrity.

What the signature proves

Embedded key vs. BYOK

MTC Skopos ships with an embedded signing key that provides software attestation: it proves the file was generated by the tool. For most audit frameworks, this is sufficient.

For regulatory or compliance scenarios requiring stronger guarantees, you can configure Bring Your Own Key (BYOK) for non-repudiation. When BYOK is active, log files are dual-signed:

• The primary signature (embedded key) proves MTC Skopos generated the file
• The non-repudiation signature (BYOK key) proves the file was signed by your organization

Auditors can independently verify each signature to confirm both the origin (software) and the authorization (organization).

Signed file format

The __signature__ section is appended as the last field in the log JSON:

{
  "about": { ... },
  "analysis": { ... },
  "ruleset": { ... },
  "datasources": [ ... ],
  "__signature__": {
    "algorithm": "ed25519",
    "key_id": "mtc-v1",
    "checksum": "sha256:b94d27b...",
    "signature": "base64-encoded-ed25519-signature",
    "non_repudiation_signature": {
      "algorithm": "ed25519",
      "key_id": "a1b2c3d4e5f67890",
      "signature": "base64-encoded-non-repudiation-signature"
    }
  }
}

Key rotation

When a new version of MTC Skopos ships with a new embedded key:

• Files signed with the old key remain verifiable (old public keys are retained)
• New files are signed with the new key
• The key_id field identifies which key was used