When you opened the Private by design panel before today, Tresor showed you a hardware-signed proof that your message was processed inside a sealed environment. That proof now carries one extra piece of information that matters: which exact version of Tresor was running inside that sealed environment.
Every sealed environment now signs its identity — the workload name, the release version, and the exact image it was built from — and that identity is folded into the same hardware-signed proof you already see. The verifier that releases keys to the environment refuses to release them unless that identity check passes too. There is no longer a separate, after-the-fact check that could be skipped or bypassed.
The proof you can inspect in the Private by design panel now binds the answer you got to a specific, signed Tresor build — not just to "some Tresor running on sealed hardware."
A compromised host or a swapped container cannot quietly pass itself off as a genuine Tresor release. Without a release-signed identity for that build, the sealed environment is not allowed to start handling your traffic at all.
🔒 Privacy: This change is about adding evidence, not about collecting more data. Nothing about your messages or files is included in the proof.
The full architecture, threat model, and verifier algorithm are public. See the Attestation Pinning guide and the open-source verifier SDKs at tresor-attest (Go, Python, TypeScript).
