nside_wefa.audit.management.commands.wefa_audit_verify¶
manage.py wefa_audit_verify — walk the tamper-evident hash chain.
Verification has two layers:
Self-consistency: every row must satisfy
hash == sha256(content || prev_hash). Checked on every row, including the first one in the verification window.Chain link: each row’s
prev_hashmust equal the previous row’shash. Checked from the second row of the window onward.
The first row of the verification window is treated as an anchor — its
stored prev_hash is trusted as-is. This is what lets the command remain
useful after wefa_audit_purge deletes old rows: the new earliest row
will keep a non-zero prev_hash pointing at a row that no longer exists,
and we can no longer follow that link, but we can still detect any
post-anchor tampering.
If you need to assert that the original chain origin (a row whose
prev_hash is the all-zeros sentinel) is still present, pass
--strict-head.
Classes
|
Verify the integrity of the tamper-evident hash chain. |