How verification works:
1. All fields except
attestation are serialized as JSON (sorted keys, UTF-8).
2. A SHA-256 hash is computed and compared to the stored
content_hash.
3. The RSA-2048 signature is verified against the TPM2 public signing key.
The signing key lives inside a Nuvoton NPCT75x TPM chip. The private key never leaves the hardware.
All verification happens locally in your browser — no data is sent anywhere.
github.com/sumee-sage/sumee-sage