Quick Start — Visit tinfoil.sh/verifier to verify any Tinfoil enclave directly in your browser. No installation required.

You can also use our interactive enclave verification UI by visiting chat.tinfoil.sh.

Overview

This guide explains how to verify that Tinfoil enclaves are running the exact code they claim to run. Enclave verification ensures that your data is processed only by verified, open-source code running in secure hardware environments.

New to Verification? For background on verification architectures and modes, see Attestation Architecture and Verification Comparison.

You can also read David Gobaud’s excellent blog post that walks through Tinfoils verification process step-by-step, demonstrating how our fully open-source approach enables true verifiable confidential AI.

The Three-Step Verification Process

Tinfoil’s verification process confirms three critical security properties:

1

Enclave Runtime Check

Verify the enclave is running in secure hardware by validating attestations from AMD or NVIDIA

2

Code Integrity Check

Verify the source code was built correctly by checking GitHub Actions and Sigstore signatures

3

Binary Consistency Check

Ensure the code running in the enclave matches the published open-source code

Using the Web Verifier

The easiest way to verify a Tinfoil enclave is through the web verifier, which runs entirely in your browser using WebAssembly. This same verifier is integrated into Tinfoil Chat to provide transparent verification of the private chat service.

Verifying a Model Enclave

  1. Open the verifier: Navigate to tinfoil.sh/verifier

  2. Enter the repository and URL:

    • Repository: The GitHub repository path (e.g., tinfoilsh/confidential-llama3-3-70b)
    • URL: The enclave hostname (e.g., llama3-3-70b.model.tinfoil.sh)

    Find repository and enclave URLs for all models in our Model Catalog

  3. Click Verify: The verifier will perform all three verification steps automatically

Understanding Verification Results

When verification succeeds, you’ll see output like:

2025/06/28 12:16:45 Loading verifier-js v0.0.6
2025/06/28 12:16:45 Fetching attestation from https://llama3-3-70b.model.tinfoil.sh/.well-known/tinfoil-attestation...
2025/06/28 12:16:45 Fetching latest release for tinfoilsh/confidential-llama3-3-70b
2025/06/28 12:16:45 Found latest release v0.0.10
2025/06/28 12:16:45 Fetching bundle from https://gh-attestation-proxy.tinfoil.sh/...
2025/06/28 12:16:45 Verifying attestation...
2025/06/28 12:16:45 Enclave attested certificate fingerprint: aaaa075e4f617bc6220cc5a91c75ffdb40f55e590143358ab7a0f9a5455884dd
2025/06/28 12:16:45 Source: 2f8500d3a9b0d2e55a20eeb550a3c88cc60f8db86c8329d130ea0f67cfd9c419e5b61611b1435008e35eaef41febf324
2025/06/28 12:16:45 Enclave: 2f8500d3a9b0d2e55a20eeb550a3c88cc60f8db86c8329d130ea0f67cfd9c419e5b61611b1435008e35eaef41febf324
2025/06/28 12:16:45 Verification successful! ✅

Key elements:

  • Source: The measurement from GitHub’s build process
  • Enclave: The measurement from the running enclave
  • Certificate fingerprint: The TLS certificate bound to the enclave
  • Matching measurements: Source and Enclave values are identical

How It Works

1. Enclave Runtime Verification

The verifier fetches an attestation document from:

https://<enclave-url>/.well-known/tinfoil-attestation

This attestation contains:

  • A measurement (hash) of the code running in the enclave
  • A signature from the hardware manufacturer (AMD SEV-SNP or NVIDIA)
  • The TLS certificate fingerprint used for end-to-end encryption

The verifier validates this attestation against AMD or NVIDIA’s certificate chains, confirming the enclave is genuine.

Technical Detail: For audit-time verification, Tinfoil embeds the CPU attestation into the Subject Alternative Name (SAN) field of the TLS certificate, creating an immutable audit trail through Certificate Transparency logs. This binds the HTTPS connection to the attested enclave. See Verification Comparison for more details.

2. Code Integrity Verification

The verifier checks that the source code was properly built:

  1. GitHub Release: Fetches the release metadata containing the expected measurement
  2. Sigstore Verification: Validates GitHub’s signature on the build artifacts
  3. Transparency Log: Confirms the build appears in Sigstore’s immutable audit log

This uses GitHub’s Artifact Attestation feature to prove the code was built by GitHub Actions.

3. Consistency Verification

Finally, the verifier compares:

  • The enclave measurement from the hardware attestation
  • The build measurement from GitHub/Sigstore

If they match, it proves the enclave is running the exact open-source code that was built and signed by GitHub Actions.

Programmatic Verification

Web Applications

Include the verifier in your web application:

<script src="https://tinfoil.sh/verifier/wasm_exec.js"></script>
<script src="https://tinfoil.sh/verifier/main.js"></script>

<script>
// Load the verifier
fetch("https://tinfoil.sh/verifier/tinfoil-verifier.tag")
  .then(response => response.text())
  .then(version => {
    const go = new Go();
    WebAssembly.instantiateStreaming(
      fetch(`https://tinfoil.sh/verifier/tinfoil-verifier-${version}.wasm`), 
      go.importObject
    ).then((result) => {
      go.run(result.instance);
      
      // Verify an enclave
      verifyEnclave("llama3-3-70b.model.tinfoil.sh")
        .then(result => {
          console.log("Verification successful!");
          console.log("Measurement:", result.measurement);
          console.log("Certificate:", result.certificate);
        })
        .catch(err => {
          console.error("Verification failed:", err);
        });
    });
  });
</script>

Source Code: The verifier is open source at tinfoilsh/verifier-js

Understanding Proxies and Security

The verifier uses several proxies to prevent rate limiting:

GitHub Proxy

github-proxy.tinfoil.sh - Caches GitHub release data

  • Safe to use: Data is verified through Sigstore’s transparency logs
  • ✅ Cannot forge attestations due to cryptographic verification

AMD KDS Proxy

kds-proxy.tinfoil.sh - Caches AMD attestation certificates

  • Safe to use: Root AMD certificate is embedded in verifier code
  • ✅ Full certificate chain validation prevents forgery
  • 💡 Can be replaced with direct AMD server access if preferred

What Verification Guarantees

✅ The enclave is running in genuine secure hardware
✅ The exact open-source code version is executing
✅ Data is end-to-end encrypted to the verified enclave
✅ Code hasn’t been tampered with since GitHub built it

What Verification Doesn’t Guarantee

❌ Protection against certain side-channel attacks
❌ Security of the application code itself
❌ Protection if GitHub Actions infrastructure is compromised
❌ Defense against physical attacks on the hardware

Learn More: To better understand how Tinfoil addresses these limitations, read our blog: