Cryptographic identity and signing for software supply chains.
No central authority. No CA. No server. Just Git and cryptography.
brew tap auths-dev/auths-cli
brew install auths
auths init # create your identity
auths sign ./release.tar.gz # sign an artifact
auths verify ./release.tar.gz # verify itHomebrew:
brew tap auths-dev/auths-cli
brew install authsInstall from source:
cargo install --git https://github.com/auths-dev/auths.git auths_cliThis installs auths, auths-sign, and auths-verify.
auths initFollow the prompts. This creates your cryptographic identity and stores the key securely in your system keychain.
auths statusOutput:
Identity: did:keri:EBf2cE...
Key aliases: main
Witnesses: none designated
Agent: stopped
Devices: none
auths init already configured Git commit signing (gpg.format, commit.gpgsign), so just commit:
git commit -m "My first signed commit"Verify it:
auths verify HEADOutput:
Commit a1b2c3d verified: signed by did:keri:EBf2cE...
That's it. Your commits are now cryptographically signed with your decentralized identity.
Want the whole loop in one shot? auths demo signs and verifies a sample artifact in under 30 seconds.
Auths stores your identity and device attestations in a Git repository (~/.auths by default). Each device link is a cryptographically signed attestation stored as a Git ref.
- Identity: A
did:keriderived from your P-256 key (Ed25519 is also supported; P-256 is the default because it is what the iOS Secure Enclave can hold) - Devices:
did:keyidentifiers linked via signed attestations - Keys: Stored in your OS keychain (macOS Keychain, or encrypted file fallback)
- Attestations: Stored in Git refs under
refs/auths/ - Trust: Your repo commits
.auths/roots— the trusted root a clone anchors to — and your KEL travels to that repo's remote alongside your code, sogit clone && auths verify HEADworks with no setup
No central server. No blockchain. Just Git and cryptography.
Auths signs commits with a standard SSH signature (ecdsa-sha2-nistp256), so auths verify replays the signer's key history — their KEL — and checks the signature against the key that was valid at signing time, then confirms that key chains back to a root the repository pins.
Sigstore and GitHub can verify offline too. The difference is narrower than "offline vs online" and worth stating precisely: their offline path checks a signature against a trust-root snapshot you refreshed at some point, so a key rotation or revocation you have not downloaded is one you cannot see. A KEL carries its own rotation history, so key state verifies without refreshing a trust root. That matters most for long-lived device keys, which is Auths's model.
| Command | Description |
|---|---|
auths init |
Initialize identity (also configures Git signing) |
auths demo |
Sign + verify a sample artifact in 30 seconds |
auths sign <file> |
Sign an artifact |
auths verify <target> |
Verify a commit (e.g. HEAD) or signed artifact |
auths status |
Show identity and device overview |
auths whoami |
Print your identity DID |
auths pair |
Link another device via QR / short code |
auths trust pin |
Pin a trusted identity |
auths doctor |
Diagnose setup issues |
auths tutorial |
Interactive guided tour |
Run auths --help for full documentation, or auths --help-all to include advanced commands.
Apache 2.0