Signed snapshots
Every 6 hours the cron writes a signed snapshot of the leaderboard to R2. You can verify any snapshot matches what SupplierSpy signed — without trusting this Worker at all.
What you need
- The public key — /.well-known/jwks.json (JWK format, ECDSA P-256).
- The fingerprint — /.well-known/trust.txt (
sha256:<32-hex>). Verify the JWKS matches this fingerprint before trusting the key. - A signed snapshot — pick any date below. Each has a paired
.sigfile.
How to verify
Every snapshot is signed over its canonical JSON (keys sorted) using ECDSA P-256 + SHA-256 (alg ES256). Any language's WebCrypto verifier works. Pseudocode:
// Browser or Node 20+
const jwks = await (await fetch('https://supplierspy.com/.well-known/jwks.json')).json();
const pub = await crypto.subtle.importKey('jwk', jwks.keys[0],
{ name: 'ECDSA', namedCurve: 'P-256' }, false, ['verify']);
const body = await (await fetch('https://supplierspy.com/snapshots/DATE.json')).text();
const sigJson = await (await fetch('https://supplierspy.com/snapshots/DATE.json.sig')).json();
const sigBytes = Uint8Array.from(atob(
sigJson.signature.replace(/-/g,'+').replace(/_/g,'/')
), c => c.charCodeAt(0));
const ok = await crypto.subtle.verify({ name: 'ECDSA', hash: 'SHA-256' },
pub, sigBytes, new TextEncoder().encode(body));
// ok === true means this snapshot was signed by SupplierSpy