{
  "@context": "https://schema.org",
  "@type": "DigitalDocument",
  "name": "RightsDocket Signing Keys",
  "description": "Canonical list of public signing keys used by RightsDocket to sign copyright-provenance assertions. Each assertion produced by RightsDocket is signed with one of the keys listed here; verifiers MUST match the assertion's signature against a key in this file.",
  "issuer": {
    "@type": "Organization",
    "name": "RightsDocket",
    "url": "https://www.rightsdocket.com"
  },
  "dateModified": "2026-05-06",
  "jwks_uri": "https://www.rightsdocket.com/.well-known/jwks.json",
  "verification_url": "https://www.rightsdocket.com/verify",
  "keys": [
    {
      "key_id": "rd-sign-2026-05-06",
      "algorithm": "Ed25519",
      "status": "active",
      "activation_date": "2026-05-06",
      "expiration_date": null,
      "use": "provenance-signing",
      "fingerprints": {
        "sha256-der": "c8fcdf45912728467a54224a7a93220800bc0947583c70753d17df5bfc15bc9e",
        "sha256-base64-string": "51ff0e723bf96bd4925b3fdd278ca303e048402d41e1297246104d8a41acd62c"
      },
      "compliance": {
        "c2pa": {
          "compatible": true,
          "manifest_signature_format": "ed25519"
        },
        "eu_ai_act": {
          "article_50_disclosure": true,
          "transparency_obligation": "RightsDocket signs every provenance assertion under this key. Operators of generative AI systems can verify origin claims without contacting RightsDocket."
        },
        "rfc_3161_timestamp_authority": {
          "default": "https://freetsa.org/tsr",
          "configurable_via_env": "TSA_URL"
        }
      }
    }
  ],
  "rotation_policy": {
    "minimum_validity_days": 365,
    "advance_notice_days": 30,
    "rotation_announcement_url": "https://www.rightsdocket.com/.well-known/signing-keys-changelog",
    "key_revocation_url": "https://www.rightsdocket.com/.well-known/revoked-keys"
  },
  "verification_instructions": {
    "summary": "To verify a RightsDocket assertion: (1) Extract the signature and the key_id from the assertion. (2) Look up the matching key in this file by key_id. (3) Compute SHA-256 of the assertion payload. (4) Verify the Ed25519 signature using the public key bytes (see jwks_uri for raw key material).",
    "code_example_url": "https://github.com/abasuprab-png/rightsdocket-verifier",
    "supported_libraries": ["@noble/ed25519", "PyNaCl", "openssl pkeyutl -verify", "Go crypto/ed25519"]
  }
}