Validating Manifests
Overview
Whenever Que processes an asset, it validates the manifests in the asset’s manifest store. Validation is critical for proving integrity, catching tampering, and checking credential trust.
Validation runs both on the asset’s active manifest and on any ingredients included in it.
Quickstart: Inspect Validation Results
When you call verify, Que automatically validates
the manifest. Validation issues appear inside the validation_status array.
const result = await client.verifyAsset({
asset: { bucket: "que-assets-dev", key: "uploads/photo.jpg" },
mode: "detailed"
});
console.log(result.report.validationStatus);res = client.verify_asset({
"asset": {"bucket": "que-assets-dev", "key": "uploads/photo.jpg"},
"mode": "detailed"
})
print(res["report"]["validationStatus"])Important
If validation_status is empty, the manifest is valid. Success is represented
by absence of errors, not by a “true” flag.
Common Validation Failures
Validation failures can occur when:
- The asset’s bytes change after signing.
- Claims or assertions are missing or tampered.
- Manifests are signed with an invalid credential.
Example Error Codes
| Code | Description |
|---|---|
assertion.hashedURI.mismatch | A stored hash and actual hash differ |
assertion.dataHash.mismatch | A declared data hash does not match |
signingCredential.untrusted | The signing certificate is not in the trust list |
signingCredential.revoked | The signing certificate has been revoked |
signingCredential.expired | Signing certificate has expired |
Validating Ingredients
Ingredients are validated on import. Their validation status is written to
the ingredient’s own validation_status object.
Don’t assume the top-level manifest covers ingredient validation. Always check the ingredient’s own status separately.
Best Practices
- Always inspect
validation_statusarrays on both manifest and ingredients. - Refresh the trust list regularly.
- Treat missing or revoked credentials as untrusted by default.