Dev.to
6/26/2026

Don't Trust the Checkmark: Verifying Agent Provenance From the Outside
Short summary
Agent-trust checkmarks are often self-attestation rather than true verification—signed and verified by the issuer on their own server. The article demonstrates real external verification using cryptography: a checkmark is meaningful only if strangers can re-derive it without the issuer's code. Multi-signature chains appear credible but are one witness if signers use identical evidence; true independence requires diverse, content-addressed sources.
- •Checkmarks from the issuer's /verify page are self-attestation, not independent verification
- •Real verification requires strangers to re-derive verdicts using cryptography alone (ed25519 signatures), without running issuer code
- •Multiple signatures are one witness if they share the same evidence; independence requires content-addressed diversity
Generated with AI, which can make mistakes.
Is this a good recommendation for you?



