Summary
Striatum distributes executable AI skills via OCI registries. Users currently have no way to verify that an artifact they pull or install was published by a trusted source and hasn't been tampered with. Adding signing and verification would close this supply-chain gap.
Proposed commands
striatum sign <ref>: sign an artifact already pushed to a registry.striatum verify <ref>: verify the signature of a remote artifact before pull or install.- Optional
--verify flag on pull and skill install to verify inline.
Approach
Align with the Sigstore / cosign ecosystem, which is the standard for OCI artifact signing. This avoids inventing a custom trust model and lets users reuse existing key material and transparency logs.
Cosign stores signatures as OCI artifacts alongside the signed image, so this fits naturally with the existing oras-go infrastructure.
Scope considerations
Non-goals (for now)
- Signing local OCI layouts before push (can be added later).
- Custom transparency log infrastructure.
Summary
Striatum distributes executable AI skills via OCI registries. Users currently have no way to verify that an artifact they pull or install was published by a trusted source and hasn't been tampered with. Adding signing and verification would close this supply-chain gap.
Proposed commands
striatum sign <ref>: sign an artifact already pushed to a registry.striatum verify <ref>: verify the signature of a remote artifact before pull or install.--verifyflag onpullandskill installto verify inline.Approach
Align with the Sigstore / cosign ecosystem, which is the standard for OCI artifact signing. This avoids inventing a custom trust model and lets users reuse existing key material and transparency logs.
Cosign stores signatures as OCI artifacts alongside the signed image, so this fits naturally with the existing oras-go infrastructure.
Scope considerations
verifyshould optionally walk the dependency tree and verify each artifact.allowed-registriesconfig (Add allowed-registries config so enforcement happens at pull time #38) could pair with arequire-signaturespolicy.Non-goals (for now)