Sigstore Integration

Supply Chain Provenance

Sigstore-based signing and verification of AI agent instruction files. Verify that CLAUDE.md, AGENT.md, and SKILLS.md files were authored by trusted identities before agents execute them.

The problem: unsigned instructions

AI coding agents follow instructions from files like CLAUDE.md, AGENT.md, and SKILLS.md. These files define the agent's behavior — what it can do, how it should approach problems, and what tools it has access to. But there is no standard mechanism to verify who authored these files or whether they have been tampered with.

A compromised instruction file is a prompt injection vector. An attacker who can modify CLAUDE.md in a repository can instruct the agent to exfiltrate secrets, install backdoors, or modify code in subtle ways. Without provenance verification, there is no way to distinguish legitimate instructions from injected ones.

Sigstore Signing

nono uses Sigstore's keyless signing workflow. Authors authenticate via OIDC (GitHub, Google, or Microsoft identity), receive an ephemeral Fulcio certificate, and sign instruction files. The signature and certificate are recorded in the Rekor transparency log, creating a permanent, publicly auditable record.

Rekor Transparency Log

Every signature is recorded in the Rekor transparency log, an append-only, publicly auditable ledger. This means you can verify not just that a file was signed, but exactly when it was signed and by whom. Signed entries cannot be removed or altered after publication.

terminal
# Sign instruction files with Sigstore keyless signing
$ nono trust sign --keyless CLAUDE.md AGENT.md


Signing CLAUDE.md...
  Identity: token.actions.githubusercontent.com (OIDC)
  Signed with Fulcio ephemeral certificate
  Uploaded to Rekor transparency log
  Entry: rekor.sigstore.dev/api/v1/log/entries/...


Signing AGENT.md...
  Identity: token.actions.githubusercontent.com (OIDC)
  Signed with Fulcio ephemeral certificate
  Uploaded to Rekor transparency log


2 files signed successfully.
runtime verification
# nono automatically verifies at runtime
$ nono run --profile claude-code -- claude


Verifying instruction files...
  CLAUDE.md: VERIFIED
  AGENT.md:  VERIFIED
  SKILLS.md: UNSIGNED - BLOCKED


Error: SKILLS.md is not signed by a trusted identity.
  Expected signers: token.actions.githubusercontent.com
  Run 'nono trust sign SKILLS.md' to sign, or add
  --trust-override to bypass (not recommended).

Trust policy

nono's trust policy defines which OIDC identities are authorized to sign instruction files. This is configured per-profile and supports org, repo, and workflow constraints. Unsigned files or files signed by untrusted identities are blocked before the agent process starts.

trust-policy.json
{
  "version": 1,
  "instruction_patterns": ["SKILLS.md", "scripts/skill_script.py"],
  "publishers": [
    {
      "name": "github-ci",
      "issuer": "https://token.actions.githubusercontent.com",
      "repository": "myorg/agent-skills",
      "workflow": ".github/workflows/agent-skills.yml",
      "ref_pattern": "refs/heads/main"
    }
  ],
  "blocklist": {"digests": ["sha256:abc123...", "sha256:def456..."]},
  "enforcement": "deny"
}

Related Infrastructure

Audit Trail

Cryptographic session logging

Learn more

Linux Sandbox

Kernel-level filesystem isolation

Learn more

Get started with nono

Runtime safety infrastructure that works on macOS, Linux, and in CI.

Read the DocsView on GitHub