Quick Start — Use the Tinfoil verifier to verify any Tinfoil enclave. The verifier is available as a Go command-line tool.You can also experience enclave verification through our interactive UI at chat.tinfoil.sh.
Overview
This guide explains how to verify that Tinfoil enclaves are running the exact code they claim to run. Enclave verification ensures that your data is processed only by verified, open-source code running in secure hardware environments.New to Verification? For background on verification architectures and modes, see Attestation Architecture and Verification Comparison.
The Three-Step Verification Process
Tinfoil’s verification process confirms three critical security properties:1
Enclave Runtime Check
Verify the enclave is running in secure hardware by validating attestations from AMD or NVIDIA
2
Code Integrity Check
Verify the source code was built correctly by checking GitHub Actions and Sigstore signatures
3
Binary Consistency Check
Ensure the code running in the enclave matches the published open-source code
Automatic Verification with SDKs
All Tinfoil SDKs automatically perform connection-time (in-band) verification when you connect to an enclave. This means every request is verified before sending sensitive data.Using the Verifier
For audit-time verification or manual inspection, use the Tinfoil verifier, a Go command-line tool that performs comprehensive enclave verification. The verifier is also integrated into Tinfoil Chat to provide transparent verification of the private chat service.The verifier performs audit-time verification for inspection and auditing. For production integrations, the native SDKs provide automatic connection-time verification.
Verifying a Model Enclave
-
Install the verifier:
-
Run verification:
Parameters:
- -repo: The GitHub repository path (e.g.,
tinfoilsh/confidential-llama3-3-70b) - -url: The enclave hostname (e.g.,
llama3-3-70b.model.tinfoil.sh)
- -repo: The GitHub repository path (e.g.,
- The verifier will perform all three verification steps automatically
Understanding Verification Results
When verification succeeds, you’ll see output like:- Source: The measurement from GitHub’s build process
- Enclave: The measurement from the running enclave
- Certificate fingerprint: The TLS certificate bound to the enclave
- Matching measurements: Source and Enclave values are identical
How It Works
1. Enclave Runtime Verification
The verifier fetches an attestation document from:- A measurement (hash) of the code running in the enclave
- A signature from the hardware manufacturer (AMD SEV-SNP or NVIDIA)
- The TLS certificate fingerprint used for end-to-end encryption
Technical Detail: For audit-time verification, Tinfoil embeds the CPU attestation into the Subject Alternative Name (SAN) field of the TLS certificate, creating an immutable audit trail through Certificate Transparency logs. This binds the HTTPS connection to the attested enclave. See Verification Comparison for more details.
2. Code Integrity Verification
The verifier checks that the source code was properly built:- GitHub Release: Fetches the release metadata containing the expected measurement
- Sigstore Verification: Validates GitHub’s signature on the build artifacts
- Transparency Log: Confirms the build appears in Sigstore’s immutable audit log
3. Consistency Verification
Finally, the verifier compares:- The enclave measurement from the hardware attestation
- The build measurement from GitHub/Sigstore
Source Code: The verifier is open source at tinfoilsh/verifier
Understanding Proxies and Security
The verifier uses several proxies to prevent rate limiting:GitHub Proxy
github-proxy.tinfoil.sh - Caches GitHub release data
✅ Safe to use: Data is verified through Sigstore’s transparency logs✅ Cannot forge attestations due to cryptographic verification
AMD KDS Proxy
kds-proxy.tinfoil.sh - Caches AMD attestation certificates
✅ Safe to use: Root AMD certificate is embedded in verifier code✅ Full certificate chain validation prevents forgery
💡 Can be replaced with direct AMD server access if preferred
What Verification Guarantees
✅ The enclave is running in genuine secure hardware✅ The exact open-source code version is executing
✅ Data is end-to-end encrypted to the verified enclave
✅ Code hasn’t been tampered with since GitHub built it
What Verification Doesn’t Guarantee
❌ Protection against certain side-channel attacks❌ Security of the application code itself
❌ Protection if GitHub Actions infrastructure is compromised
❌ Defense against physical attacks on the hardware
Learn More
To better understand how Tinfoil addresses these limitations, read our blog:- What about side-channels? - How Tinfoil mitigates sophisticated side-channel attacks
- How Tinfoil Builds Trust - Our comprehensive approach to verifiable security
- Shrinking Complexity Risks - Reducing the attack surface of AI cloud deployments