{
  "trust_root_path": "/trust-root.json",
  "trust_root_sha256": "033744205ea448253023a090086c48e2096d11e3d71d39b73cd6f19477be682c",
  "signature_alg": "Ed25519",
  "signature_hex": "8b51f257c543ccc1adb0a9d6e693c05ddecc18e2c13d97436f0808e0549e9aeec16c6b7a71d21649cd3b17b9e8bfd72ecd728bbe61360896fc3b5b6ca5b3b20d",
  "signed_by": "urn:crovia:seal-issuer:crovia-trust",
  "verification": "1) Fetch /trust-root.json (raw bytes). 2) Verify Ed25519(signature_hex) over those bytes using the issuer.pubkey field of the trust-root itself. Self-signing demonstrates non-tamper since issuance; pin the pubkey out-of-band for first-trust."
}