{"id":47115453,"url":"https://github.com/pulseengine/sigil","last_synced_at":"2026-04-01T23:52:52.079Z","repository":{"id":322127706,"uuid":"1088293252","full_name":"pulseengine/sigil","owner":"pulseengine","description":"Sigil — Supply chain security for WebAssembly. Embedded signatures, Sigstore keyless signing, SLSA provenance. Part of the PulseEngine toolchain.","archived":false,"fork":false,"pushed_at":"2026-03-28T08:35:13.000Z","size":2044,"stargazers_count":0,"open_issues_count":2,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-03-28T10:34:15.723Z","etag":null,"topics":["pulseengine","rust","sigstore","slsa","supply-chain-security","webassembly"],"latest_commit_sha":null,"homepage":null,"language":"Rust","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/pulseengine.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":"AGENTS.md","dco":null,"cla":null}},"created_at":"2025-11-02T17:32:49.000Z","updated_at":"2026-03-28T08:34:01.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/pulseengine/sigil","commit_stats":null,"previous_names":["pulseengine/wsc","pulseengine/sigil"],"tags_count":10,"template":false,"template_full_name":null,"purl":"pkg:github/pulseengine/sigil","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/pulseengine%2Fsigil","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/pulseengine%2Fsigil/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/pulseengine%2Fsigil/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/pulseengine%2Fsigil/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/pulseengine","download_url":"https://codeload.github.com/pulseengine/sigil/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/pulseengine%2Fsigil/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":31293127,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-01T21:15:39.731Z","status":"ssl_error","status_checked_at":"2026-04-01T21:15:34.046Z","response_time":53,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["pulseengine","rust","sigstore","slsa","supply-chain-security","webassembly"],"created_at":"2026-03-12T18:58:27.169Z","updated_at":"2026-04-01T23:52:52.071Z","avatar_url":"https://github.com/pulseengine.png","language":"Rust","funding_links":[],"categories":[],"sub_categories":[],"readme":"\u003cdiv align=\"center\"\u003e\n\n# Sigil\n\n\u003csup\u003eSupply chain security for WebAssembly\u003c/sup\u003e\n\n\u0026nbsp;\n\n[![CI](https://github.com/pulseengine/sigil/actions/workflows/rust.yml/badge.svg)](https://github.com/pulseengine/sigil/actions/workflows/rust.yml)\n[![codecov](https://codecov.io/gh/pulseengine/sigil/graph/badge.svg)](https://codecov.io/gh/pulseengine/sigil)\n![Rust](https://img.shields.io/badge/Rust-CE422B?style=flat-square\u0026logo=rust\u0026logoColor=white\u0026labelColor=1a1b27)\n![Sigstore](https://img.shields.io/badge/Sigstore-keyless_signing-654FF0?style=flat-square\u0026labelColor=1a1b27)\n![SLSA](https://img.shields.io/badge/SLSA-L4_provenance-00C853?style=flat-square\u0026labelColor=1a1b27)\n![License: MIT](https://img.shields.io/badge/License-MIT-blue?style=flat-square\u0026labelColor=1a1b27)\n\n\u0026nbsp;\n\n\u003ch6\u003e\n  \u003ca href=\"https://github.com/pulseengine/meld\"\u003eMeld\u003c/a\u003e\n  \u0026middot;\n  \u003ca href=\"https://github.com/pulseengine/loom\"\u003eLoom\u003c/a\u003e\n  \u0026middot;\n  \u003ca href=\"https://github.com/pulseengine/synth\"\u003eSynth\u003c/a\u003e\n  \u0026middot;\n  \u003ca href=\"https://github.com/pulseengine/kiln\"\u003eKiln\u003c/a\u003e\n  \u0026middot;\n  \u003ca href=\"https://github.com/pulseengine/sigil\"\u003eSigil\u003c/a\u003e\n\u003c/h6\u003e\n\n\u003c/div\u003e\n\n\u0026nbsp;\n\nMeld fuses. Loom weaves. Synth transpiles. Kiln fires. Sigil seals.\n\nThe cryptographic backbone of the PulseEngine pipeline. Sigil signs WebAssembly modules with embedded signatures that can be verified completely offline — perfect for embedded systems, edge devices, and air-gapped environments. Every pipeline stage (fusion, optimization, transpilation) creates a signed transformation attestation recording what changed, which tool version ran, and cryptographic hashes of inputs and outputs.\n\nBuilt on the [WebAssembly modules signatures proposal](https://github.com/wasm-signatures/design) and extended with Sigstore keyless signing, SLSA policy enforcement, and hardware security via TPM 2.0. All signatures are embedded directly in WebAssembly modules — no external registry required.\n\n## Quick Start\n\n```bash\n# Install from source\ncargo install wsc-cli\n\n# Or build from source\ngit clone https://github.com/pulseengine/sigil.git\ncd sigil\ncargo build --release\n```\n\n### Keyless Signing (Sigstore)\n\n```bash\n# Sign in GitHub Actions (or any OIDC-enabled CI)\nsigil sign --keyless -i module.wasm -o signed.wasm\n\n# Verify offline — no network required\nsigil verify --keyless -i signed.wasm\n\n# With identity constraints\nsigil verify --keyless -i signed.wasm \\\n  --cert-identity \"user@example.com\" \\\n  --cert-oidc-issuer \"https://token.actions.githubusercontent.com\"\n```\n\n### Traditional Key-Based Signing\n\n```bash\n# Generate key pair\nsigil keygen -k secret.key -K public.key\n\n# Sign\nsigil sign -k secret.key -i module.wasm -o signed.wasm\n\n# Verify\nsigil verify -K public.key -i signed.wasm\n```\n\n## Features\n\n- **Offline-First Verification** — Embedded signatures survive distribution; no network required at runtime\n- **Keyless Signing** — Full Sigstore/Fulcio/Rekor integration with OIDC authentication (GitHub Actions, Google Cloud, GitLab CI)\n- **Keyless Verification** — Verify Sigstore signatures offline with certificate chain and SET validation\n- **Enhanced Rekor Verification** — Checkpoint-based verification with security hardening\n- **Bazel Integration** — Full BUILD and MODULE.bazel support for hermetic builds\n- **WebAssembly Component Model** — Both library and CLI WebAssembly component builds\n- **OpenSSH Key Support** — Works with Ed25519 SSH keys\n- **GitHub Integration** — Verify using a GitHub user's SSH public keys\n- **Multiple Signatures** — Compact representation for multi-signer workflows\n\n### Offline Verification vs Registry Signatures\n\n| Scenario | Cosign/OCI | Sigil |\n|----------|------------|-------|\n| IoT device with intermittent WiFi | Needs connectivity | Verify offline |\n| Industrial controller | Requires registry access | Signature embedded |\n| Edge CDN node | Registry latency | Local verification |\n| Air-gapped network | Cannot verify | Works offline |\n\n## Additional Operations\n\n```bash\n# Inspect a module\nsigil show -i module.wasm\n\n# Detach signature\nsigil detach -i signed.wasm -o unsigned.wasm -S signature.bin\n\n# Attach signature\nsigil attach -i unsigned.wasm -o signed.wasm -S signature.bin\n\n# Partial verification (specific custom sections)\nsigil verify -K public.key -i signed.wasm --split \"custom_section_regex\"\n```\n\n## Formal Verification\n\n\u003e [!NOTE]\n\u003e **Cross-cutting verification** \u0026mdash; Rocq mechanized proofs, Kani bounded model checking, Z3 SMT verification, and Verus Rust verification are used across the PulseEngine toolchain. Sigil attestation chains bind it all together.\n\n## Documentation\n\n- [Checkpoint Implementation](docs/checkpoint_implementation.md)\n- [Security Audit](docs/checkpoint_security_audit.md)\n- [Checkpoint Format](docs/rekor_checkpoint_format.md)\n- [Security Model](SECURITY.md)\n- [Keyless Signing](docs/keyless.md)\n- [Testing Guide](docs/testing.md)\n\n## Acknowledgments\n\nBased on [wasmsign2](https://github.com/wasm-signatures/wasmsign2) by Frank Denis. MIT License \u0026mdash; original wasmsign2 Copyright (c) 2024 Frank Denis.\n\n## License\n\nMIT License \u0026mdash; see [LICENSE](LICENSE).\n\n---\n\n\u003cdiv align=\"center\"\u003e\n\n\u003csub\u003ePart of \u003ca href=\"https://github.com/pulseengine\"\u003ePulseEngine\u003c/a\u003e \u0026mdash; formally verified WebAssembly toolchain for safety-critical systems\u003c/sub\u003e\n\n\u003c/div\u003e\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fpulseengine%2Fsigil","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fpulseengine%2Fsigil","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fpulseengine%2Fsigil/lists"}