← All essays

2026-02-22

Announcing Auths

Today we're releasing Auths — a cryptographic identity and signing protocol for software supply chains. Your identity lives in your own repository and travels with you.

Why We Built This

Software signing is broken. The tools available today force you to choose between:

  1. Centralized, opaque infrastructure (Sigstore, code signing CAs) that can be compromised, subpoenaed, or simply shut down
  2. Manual GPG key management that nobody does correctly

We believe cryptographic trust should be:

  • Yours: anchored in keys you control, stored in your own repository
  • Verifiable without trust: anyone can verify without depending on your infrastructure
  • Practical: a single command to sign, a browser widget to verify

What Ships Today

  • auths CLI — initialize identity, pair devices, sign artifacts, verify
  • <auths-verify> web component — drop-in WASM-powered verification in any browser
  • Identity Explorer — explore any repository's cryptographic identity chain
  • Open protocol — the identity format is fully documented and open

The Technology

Auths is built on:

  • A key event log — an append-only, self-certifying history of your key — as the anchor of identity
  • Ed25519 for all cryptographic operations
  • WebAssembly for in-browser, zero-trust verification
  • Git refs as a tamper-evident storage layer you clone, push, and pull like any repository

Try It

brew install auths-dev/auths-cli/auths
auths init

We're excited to build this together. Feedback welcome on GitHub.