A PageCrawl tamper-proof web archive carries multiple cryptographic attestations that prove the archive existed at a specific moment in time and has not been altered since. Each layer can be verified independently, offline, by anyone with the proof file and standard public tooling. No PageCrawl account is required to verify.

This guide walks through verifying each layer.

What you need

• The WACZ archive file (archive.wacz).
• One or more sidecar proof files: archive.wacz.ots, archive.wacz.digicert.tsr, archive.wacz.sectigo.tsr, archive.wacz.qtsa.tsr (whichever providers stamped the archive at capture time).
• Either the public verification page link, or these command-line tools installed locally:
  • openssl (most systems have it)
  • The OpenTimestamps client (pip install opentimestamps-client, exposes the ots command)

Verifying the embedded WACZ Auth signature

Every Ultimate-plan archive includes an embedded signedData block inside datapackage-digest.json, conforming to the WACZ Auth specification. The simplest way to verify it is:

1. Open the WACZ in ReplayWeb.page.
2. The viewer renders a verified-signature badge if the embedded signature is intact.

If you prefer to inspect the signature manually, extract datapackage-digest.json from the WACZ zip and read the signedData block. The block contains the signing-service domain, the signature, and an embedded RFC 3161 timestamp.

Verifying the OpenTimestamps Bitcoin anchor

OpenTimestamps anchors a hash of the archive to the Bitcoin blockchain via a calendar server. The proof is verifiable offline against the public blockchain.

ots verify archive.wacz.ots

Output explains whether the proof is fully Bitcoin-anchored, pending confirmation, or invalid. A pending proof typically becomes anchored within a few hours of capture.

If you do not have the OpenTimestamps client installed, see https://opentimestamps.org for installation instructions.

Verifying the DigiCert and Sectigo certified timestamps

DigiCert and Sectigo both issue RFC 3161 timestamp responses, signed by their AATL-rooted Trust Service Provider keys. Verification uses standard OpenSSL.

openssl ts -reply -in archive.wacz.digicert.tsr -text

This prints the timestamp response in human-readable form: the time of stamping, the signing TSP's identity, and the hash bound to the timestamp. Pair it with a chain-validation step against the issuing TSP's public certificate to confirm the signature.

Repeat the same command with archive.wacz.sectigo.tsr for the Sectigo timestamp.

Verifying an eIDAS qualified timestamp (Custom plans)

Custom-plan archives may also include archive.wacz.qtsa.tsr, an eIDAS qualified timestamp under EU Regulation 910/2014 Article 41(2). Verification uses the same OpenSSL command, against the issuing Qualified Trust Service Provider's certificate chain.

openssl ts -reply -in archive.wacz.qtsa.tsr -text

Under Article 41(2), a successful verification gives the archive statutory legal presumption of accuracy of the date and time and of the integrity of the bound data.

The public verification page

Every Ultimate-plan archive can be shared publicly via a signed link generated from the PageCrawl interface. The recipient sees:

• The source URL and capture timestamp.
• The manifest hash.
• A list of every layer that stamped the archive, with download links for the raw proof files and verification command hints.

The verification page does not require an account. It is intended for sharing with regulators, auditors, opposing counsel, or anyone who needs to independently confirm that the archive is genuine.

Why this matters in 2026

Generative AI can produce a plausible screenshot, HTML page, or PDF on demand. A self-stored archive proves nothing on its own. What AI cannot fabricate is a hash anchored to the Bitcoin blockchain, an RFC 3161 timestamp signed by a Trust Service Provider's private key, or a qualified seal from a regulated QTSP. Multi-provider cryptographic attestation is the only practical standard for evidentiary archives in an AI-saturated world.