# Sovrient EU AI Act Verifier Runbook v0 This runbook is the shortest path for a reviewer to verify the published EU AI Act v1.0 verifier bundle. It does not require trusting the model or the bundle producer; it does require the published Sovrient source-twin digest, the named repository commits, and the release-key fingerprint. ## Preconditions - Python 3.11 or newer - `pip` - `gpg` - `curl` - `sha256sum` - sibling checkouts of `ai-act-agent` and `ai-act-skills` - public GPG key for fingerprint `231DF589D89C25FAD7A8E8E685F9BA1E0016C226` Before relying on the signature, compare the full fingerprint against this verifier page, `KEY_POLICY.md`, and an out-of-band source. ## Commands Run from the `ai-act-agent` checkout: ```bash gpg --keyserver hkps://keys.openpgp.org \ --recv-keys 231DF589D89C25FAD7A8E8E685F9BA1E0016C226 python3 -m pip install -r requirements-dev.txt curl -O https://www.sovrient.com/standards/eu/ai-act/1.0/verifier/ai-act-article-113-annex-iii-33aeab7.tar.gz curl -O https://www.sovrient.com/standards/eu/ai-act/1.0/verifier/ai-act-article-113-annex-iii-33aeab7.tar.gz.sha256 sha256sum -c ai-act-article-113-annex-iii-33aeab7.tar.gz.sha256 tar -xzf ai-act-article-113-annex-iii-33aeab7.tar.gz gpg --verify ai-act-article-113-annex-iii-33aeab7/manifest.json.sig \ ai-act-article-113-annex-iii-33aeab7/manifest.json python3 -m ai_act_agent.cli verify ai-act-article-113-annex-iii-33aeab7 \ --require-eval \ --require-signature ``` ## Expected Result The strict verifier should return `PASS`, the published manifest digest, the published report digest, and an empty `check_reasons` object. ```json { "result": "PASS", "manifest_digest": "sha256:0f12848f9ed6f70392ec51a9531ac3782df7f6a6bb138aaca410c02149b25870", "report_digest": "sha256:c9437298367448e82bca2b9db858e1dd675a79a0f40090d6cea7eb292933fb6d", "check_reasons": {} } ``` ## Common Failures - `sha256sum` fails: the archive or sidecar bytes do not match the published digest. Re-download both files and retry before treating the bundle as valid. - `gpg --verify` fails: the manifest signature does not verify against the imported key. Confirm the full fingerprint and do not rely on the signer attribution until resolved. - `verify` returns `FAIL`: inspect `check_reasons`. A failing replay check invalidates the strict verifier result for this bundle. - `ModuleNotFoundError` or dependency errors: confirm `ai-act-agent` and `ai-act-skills` are sibling checkouts and rerun `python3 -m pip install -r requirements-dev.txt`. - `source_twin_digest_match` fails: the locally installed `ai-act-skills` source twin does not match the digest named by the manifest. ## What It Proves A passing strict verification proves that the downloaded bundle bytes match their sidecars, the manifest and graph digests replay, cited evidence resolves against the published EU AI Act v1.0 source twin, validation predicates pass, the eval report replays, and the manifest signature verifies against the named release key. It does not prove that a system is compliant with the EU AI Act, that a conformity assessment has occurred, that regulators endorse the result, or that the bundle is an official benchmark score.