Cryptographically Signing AI-Generated Artifacts with Sigstore

Sigstore is a free, open-source service for signing and verifying software artifacts. When autonomous AI agents are authoring code, Sigstore solves a critical problem: proving that a specific artifact was built from a specific commit, signed by a specific agent, at a specific moment in time.

Traditional signing requires managing long-lived private keys. Sigstore replaces this burden with keyless signing backed by OIDC identity and transparency logs—making it ideal for autonomous workflows where you need non-repudiation without key rotation overhead.

Why Sigstore Matters for Agent-Generated Code

When GitHub Copilot, Cursor, Replit, or your custom LangChain agent commits code, the resulting artifact (container image, binary, or deployment package) carries risk that human-authored code doesn't:

Unproven authorship. Git shows the agent's name, but can you prove the agent actually generated this specific artifact?
Model version uncertainty. Which model wrote this code? If that model later shows vulnerabilities, was the artifact affected?
Provenance opacity. Did someone tamper with the code between generation and deployment?

Sigstore's transparency log (Rekor) answers all three. Every signature is recorded in a public, immutable log. You can later prove:

This artifact was signed by copilot-agent-v3 (identity)
It was signed at 2026-04-29 14:32:15Z (timestamp)
It was built from commit abc123def456 (provenance)
No one has tampered with it since (log transparency)

This is the foundation of compliance with EU AI Act Article 12 logging and SLSA Level 2 provenance requirements.

Core Components

Cosign

Signs and verifies container images and artifacts.

# Sign a container image (keyless) — pin to digest, not a mutable tag, and use --yes for non-interactive shells
cosign sign --yes docker.io/myimage@sha256:7d3e7e6c55b8a8e7f8f5b9e2a4c1d6f8e9b3d5c7a9b1c2d4e5f6789012345abc

# Verify an image
cosign verify \
  --certificate-identity [email protected] \
  --certificate-oidc-issuer https://token.actions.githubusercontent.com \
  docker.io/myimage:latest

Fulcio

Certificate authority that issues short-lived certificates (10 minutes) based on OIDC identity. No long-term key management required.

Rekor

Append-only transparency log that records every signature. Publicly verifiable and tamper-evident.

# Search Rekor by artifact hash
rekor-cli search --sha sha256:abc123

# Get a specific log entry
rekor-cli get --log-index 12345

Keyless Signing Workflow

Traditional signing:

Generate long-lived private key
Store key securely (HSM, vault)
Sign artifacts with key
Distribute public key
Verify with public key

Keyless signing (Sigstore):

Authenticate with OIDC (GitHub, Google, etc.)
Get short-lived certificate from Fulcio
Sign artifact
Record in Rekor transparency log
Verify using OIDC identity + Rekor entry

The key differences: no key management burden, certificates expire in minutes (reducing compromise risk), identity tied to existing OIDC providers, and publicly auditable via Rekor.

Verification

Container Images

# Verify with expected identity
cosign verify \
  --certificate-identity [email protected] \
  --certificate-oidc-issuer https://accounts.google.com \
  docker.io/myimage:latest

# Verify with regex pattern
cosign verify \
  --certificate-identity-regexp '.*@myorg\.com' \
  --certificate-oidc-issuer https://accounts.google.com \
  docker.io/myimage:latest

SLSA Provenance Attestations

For autonomous agent-authored code, attach a SLSA provenance attestation that includes agent metadata:

# Build the artifact with agent metadata
AGENT_MODEL=gpt-4-turbo-2024-12
AGENT_ID=copilot-coding-agent-v3
COMMIT_HASH=$(git rev-parse HEAD)

# Sign the artifact (digest-pinned, non-interactive)
cosign sign --yes \
  --cert-chain certs.pem \
  docker.io/myimage@sha256:7d3e7e6c55b8a8e7f8f5b9e2a4c1d6f8e9b3d5c7a9b1c2d4e5f6789012345abc

# Verify SLSA provenance with agent metadata
cosign verify-attestation \
  --type slsaprovenance \
  --certificate-identity https://github.com/actions/runner \
  --certificate-oidc-issuer https://token.actions.githubusercontent.com \
  docker.io/myimage:latest

# Output includes:
# {
#   "predicate": {
#     "resolvedDependencies": [{
#       "properties": {
#         "commits": [{
#           "hash": "abc123def456",
#           "author": "copilot-agent-v3",
#           "authored_by": "autonomous_agent",
#           "agent_model": "gpt-4-turbo-2024-12"
#         }]
#       }
#     }]
#   }
# }

This proves the artifact was built from commits authored by a specific agent model version—critical for compliance audits and incident response.

Trusted OIDC Providers

Provider	Issuer URL	Identity Format
GitHub Actions	`https://token.actions.githubusercontent.com`	Repository slug
Google Cloud	`https://accounts.google.com`	Service account email
GitLab CI	`https://gitlab.com`	Project path

Policy Enforcement

Kubernetes Admission Control

apiVersion: policy.sigstore.dev/v1beta1
kind: ClusterImagePolicy
metadata:
  name: signed-images
spec:
  images:
  - glob: "**/*"
  authorities:
  - keyless:
      url: https://fulcio.sigstore.dev
      identities:
      - issuer: https://token.actions.githubusercontent.com
        subject: "https://github.com/myorg/*"

CI/CD Verification Gate

#!/bin/bash
EXPECTED_IDENTITY="https://github.com/myorg/myrepo"
EXPECTED_ISSUER="https://token.actions.githubusercontent.com"

if cosign verify \
  --certificate-identity "$EXPECTED_IDENTITY" \
  --certificate-oidc-issuer "$EXPECTED_ISSUER" \
  "$IMAGE"; then
  echo "Signature verified"
  kubectl apply -f deployment.yaml
else
  echo "Signature verification failed"
  exit 1
fi

npm Provenance

npm now supports Sigstore-based provenance for packages published from GitHub Actions:

# Verify package signatures (the supported, documented path)
npm audit signatures

# Inspect the raw attestations JSON via the public registry
npm view express --json | jq '.dist.attestations'

When a package is published with provenance, npm records which GitHub repository and workflow produced it — creating a verifiable chain from source to registry.

Best Practices

For Producers

Use keyless signing — Eliminate key management by leveraging existing OIDC identity
Sign everything — Container images, release artifacts, SBOMs, and attestations
Provide attestations — SLSA provenance, SBOM attestations, vulnerability scan results

For Consumers

Always verify before use — Check identity matches your expectations
Define allowed OIDC issuers — Restrict which identity providers you trust
Automate verification — CI/CD gates, admission controllers, dependency scanning

Ecosystem Integration

Category	Supported Platforms
Container Registries	Docker Hub, GHCR, GCR, ECR
Package Managers	npm (native), PyPI (trusted publishers), Maven
Build Platforms	GitHub Actions, Google Cloud Build, GitLab CI
Policy Engines	Kubernetes Policy Controller, OPA/Gatekeeper

Sigstore in Your Agent Supply Chain

When your CI/CD system builds code authored by autonomous agents:

Sign the artifact with the agent's OIDC identity (the agent's service account in GitHub Actions, GitLab CI, etc.)
Attach SLSA provenance including agent metadata (model, version, commit hash)
Verify before deployment — reject unsigned artifacts or those from unexpected agent versions
Record in Rekor — the transparency log becomes your audit trail for EU AI Act Article 12

Example: If Copilot Coding Agent generates a PR, your CI/CD signs the resulting container with Sigstore. Five years later, in a regulatory audit, you can retrieve the signature from Rekor and prove exactly which model version built the container, which commits it included, and when it was signed.