2026-02-22
Announcing Auths
Today we're releasing Auths — a cryptographic identity and signing protocol for software supply chains. Your identity lives in your own repository and travels with you.
Why We Built This
Software signing is broken. The tools available today force you to choose between:
- Centralized, opaque infrastructure (Sigstore, code signing CAs) that can be compromised, subpoenaed, or simply shut down
- Manual GPG key management that nobody does correctly
We believe cryptographic trust should be:
- Yours: anchored in keys you control, stored in your own repository
- Verifiable without trust: anyone can verify without depending on your infrastructure
- Practical: a single command to sign, a browser widget to verify
What Ships Today
authsCLI — initialize identity, pair devices, sign artifacts, verify<auths-verify>web component — drop-in WASM-powered verification in any browser- Identity Explorer — explore any repository's cryptographic identity chain
- Open protocol — the identity format is fully documented and open
The Technology
Auths is built on:
- A key event log — an append-only, self-certifying history of your key — as the anchor of identity
- Ed25519 for all cryptographic operations
- WebAssembly for in-browser, zero-trust verification
- Git refs as a tamper-evident storage layer you clone, push, and pull like any repository
Try It
brew install auths-dev/auths-cli/authsauths init
We're excited to build this together. Feedback welcome on GitHub.