Evidence Bundle Export
Export the signed audit chain for a Jira project as a self-contained ZIP bundle that can be verified offline — no internet connection, no Attestsys account required.
What the bundle contains
Each export bundle is a ZIP archive containing:
| File | Contents |
|---|---|
manifest.json | Bundle metadata: tenant ID, export timestamp, entry count, chain head hash |
entries/ | One JSON file per audit chain entry, containing the signed payload, ECDSA signature (DER-encoded), RFC 3161 timestamp token (DER-encoded), and chain linkage hashes |
public-keys/ | The ECDSA public key(s) used to sign entries in this bundle, in PEM format |
tsa-certs/ | The certificate chain(s) of the RFC 3161 timestamp authority (TSA) that issued the timestamp tokens |
cover.pdf | A human-readable PDF cover page listing the bundle metadata, entry count, verification summary, and an admissibility statement |
verify.html | A self-contained offline verifier — open in any browser to verify every signature and chain link without any server calls |
Downloading a bundle
📸 Screenshot placeholder — add after Marketplace listing is live. Screenshot: Admin page showing the "Download Evidence Bundle" button and the export counter.
Bundles are downloaded from the Admin page of the Forge app. Click Download Evidence Bundle to generate and download the current chain. The admin page shows how many exports have been used in the current calendar month.
On the free tier, the maximum is 10 bundle exports per calendar month (UTC, aligned with the Atlassian Marketplace billing cycle). A counter on the admin page shows the current usage and the reset date. Attempting an 11th export returns a quota-exceeded message with the reset date.
Verifying offline with verify.html
- Unzip the bundle
- Open
verify.htmlin any modern browser (Chrome, Firefox, Safari, Edge) - The verifier runs entirely locally — no network requests are made
- Each entry is verified for:
- Valid ECDSA secp256k1 signature against the included public key
- Correct SHA-256 hash chain linkage to the previous entry
- Presence of a valid RFC 3161 timestamp token (structure only — TSA revocation checks require network access)
- The summary shows a pass/fail count and highlights any failed entries
Admissibility statement
The cover.pdf includes an admissibility statement. The correct framing per KGA-DEC-001 is:
"This evidence bundle is tamper-evident, independently verifiable, and designed to support authentication in audit and legal contexts under eIDAS Art. 41 (qualified electronic timestamps) and Art. 35(2) (qualified electronic seals), German ZPO §371a, US FRE 902(13)(14), and UK Civil Evidence Act 1995 §8 / Electronic Communications Act 2000 §7."
The bundle does not claim automatic court admissibility. Admissibility determinations are made by courts. The cryptographic properties of the bundle reduce the authentication burden and support a rebuttable presumption (when QTSP-backed qualified timestamps are used at paid tiers).
⚠️ LEGAL REVIEW REQUIRED — The exact wording of the admissibility statement in
cover.pdfmust be reviewed by a qualified legal professional before the app is listed on the Marketplace or used in live legal proceedings.
Free tier watermark
On the free tier, bundle exports include a watermark in the cover.pdf indicating "Generated on Attestsys Free Tier — FreeTSA non-qualified timestamp". This is accurate labelling — FreeTSA timestamps are not issued by an eIDAS-listed QTSP and do not carry the qualified presumption. Upgrade to a paid tier for QTSP-backed qualified timestamps.