# Verify the report

The verifier checks the authenticity and freshness of the report using the session UUID and the base64-encoded report.

## Verify the report

Verify the report for the workload using the encoded report:

**Example:**

```
vhsm nitride attestation verify f43042c2-3ac6-43fd-be0a-efbfd2c5b419 report=@verify.base64
```

This command uses the report from the attester.

**Output:**

```
Key                       Value
---                       -----
token                     hvs.CAESIOyvGir7sPktjKgCsaL4NZSdf3jWiFtoAFQNC_Wb5L39Gh4KHGh2cy4yQnJUOEx5djcxbW4wd000b0QzamNUWm8
token_accessor            DH9YcdCJkJw6stqC8ochAFai
token_duration            768h
token_renewable           false
token_policies            ["default" "enclaive-attested"]
identity_policies         []
policies                  ["default" "enclaive-attested"]
token_meta_namespace      n/a
token_meta_workload       f43042c2-3ac6-43fd-be0a-efbfd2c5b419
token_meta_measurement    0e3b01f2f08a3e4cead3d075d0e2da32778a18b612919b4108d8201fd9ba811ff151af90615383fb4a8fa9a464b79600
created                   1752752829
description               A small Azure VM running MariaDB
events                    http://localhost:8000
name                      Azure MariaDB
namespace                 n/a
nonce                     n/a
policy                    azure-dc2asv5-raw
updated                   1752753927
uuid                      f43042c2-3ac6-43fd-be0a-efbfd2c5b419
```

### Detailed explanation

* **Successful Attestation**: The presence of a token and associated policies means the workload `Azure MariaDB VM` has successfully passed remote attestation.
* **Token Usage**: The token can now be used by the workload to authenticate itself to other services such as secret stores, APIs, or policy engines that require proof of attestation.
* **Workload Identity**: The uuid and token\_meta\_workload uniquely identify the attested workload. The `token_meta_measurement` is a cryptographic hash of the workload’s environment, ensuring integrity.
* **Policy Enforcement:** The attached policies are `enclaive-attested,` by default and define what the workload is allowed to do after attestation.
* **Security Properties**: The attestation is bound to a specific workload and its measured state. The token is time-limited and not renewable, enforcing periodic re-attestation for continued trust.
* **Auditability**: The output includes timestamps and references for auditing when and how the attestation was performed.

## Troubleshooting

### **Wrong Identity**

**Error message**:

"f*ailed attestation: azure-sev-snp-vtpm: measurement did not match, found: 0e3b01f2f08a3e4cead3d075d0e2da32778a18b612919b4108d8201fd9ba811ff151af90615383fb4a8fa9a464b79600, expected: 036fc22b517981a791f7f8b89d634a00e964f6b0dfabc568090eb4393d6026f96aa6b7cca2759f29e521469f1189c00c*"

**Explanation:**

When you enable remote attestation using the `vhsm nitride init` command, it creates essential [Nitride identities](https://docs.enclaive.cloud/nitride/documentation/concepts/policy), including: platform, firmware, and workload. The measurement in the default identities would not match the measurement on the VM. Hence, the attestation fails.\
\
**Solution:**\
[Update the measurement of the identity](https://docs.enclaive.cloud/nitride/tutorials/attestation-blueprint-1/create-or-update-identities) with the measurement that the error message reads. In this example, you need to update the identity named *azure-dc2asv5.*