For your understanding, here is a formal description of the verification process of a proof of existence:
- compute the SHA256 hash of the file
- check that the targetHash property of the proof receipt matches the hash of the file
- check that the proof property of the proof receipt is a valid Merkle proof (see the Chainpoint standard for this step)
- retrieve the Bitcoin transaction from the anchors property of the proof receipt
- check that the OP_RETURN field of the Bitcoin transaction matches the merkleRoot property of the proof receipt
For proof of signature, an additional verification process is performed:
- check that the SHA256 hash of the signature property matches its targetHash property
- check that the signature property is a valid signature of the signedHash property for the public key stored in the pubKey property
- additionally, if an identityURL property is available:
- call identityURL to make the callee sign some random data using the public key pubKey
- check that the returned signature is valid
- get the TLS certificates of the URL (it must be an HTTPS URL) to get insight about the signee’s identity