Tresor Trust Bundles

Signed JSON documents that pin Tresor's HTTPS endpoints to specific AMD SEV-SNP‑attested binaries.

Each file under /api/ is a JWS compact serialisation (EdDSA / Ed25519) issued by Tresor's offline release-root key. SDKs and the tresor-verify CLI fetch these to learn which workload measurements and identity tags are currently trusted.

Endpoints

Verifying a bundle

Bundles are signed with a long-lived Ed25519 key whose raw public form ships inside every Tresor SDK release. To check a bundle by hand:

curl -s https://trust.tresor.co/api/router.json \
  | tresor-verify trust-bundle --release-root release-root.pub -

Specification