auths-dev · bordumb · Apr 9, 2026
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -2,6 +2,10 @@
 # Set a tag, then push it to trigger the release workflow:
 # git tag v0.1.0
 # git push origin v0.1.0
+#
+# Prerequisites:
+# - Commits must be signed by a maintainer listed in .auths/allowed_signers
+# - No signing secrets needed — CI verifies commits, then signs artifacts with ephemeral keys
 
 name: Release
 
@@ -14,7 +18,19 @@ permissions:
   contents: write
 
 jobs:
+  verify:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Verify commit signatures
+        uses: auths-dev/verify@v1
+
   build:
+    needs: verify
     strategy:
       fail-fast: false
       matrix:
@@ -97,14 +113,24 @@ jobs:
           $hash = (Get-FileHash ${{ matrix.asset_name }}${{ matrix.ext }} -Algorithm SHA256).Hash.ToLower()
           "$hash  ${{ matrix.asset_name }}${{ matrix.ext }}" | Out-File -Encoding ascii ${{ matrix.asset_name }}${{ matrix.ext }}.sha256
 
-      - name: Sign artifact (Unix)
+      - name: Sign artifact (ephemeral, Unix)
         if: matrix.ext == '.tar.gz'
-        uses: auths-dev/sign@v1
-        with:
-          token: ${{ secrets.AUTHS_CI_TOKEN }}
-          files: ${{ matrix.asset_name }}${{ matrix.ext }}
-          verify: true
-          note: 'GitHub Actions release — ${{ github.ref_name }}'
+        run: |
+          FILE="${{ matrix.asset_name }}${{ matrix.ext }}"
+          ./staging/auths artifact sign "$FILE" \
+            --ci \
+            --commit "${{ github.sha }}" \
+            --note "Release ${{ github.ref_name }}"
+
+      - name: Sign artifact (ephemeral, Windows)
+        if: matrix.ext == '.zip'
+        shell: pwsh
+        run: |
+          $file = "${{ matrix.asset_name }}${{ matrix.ext }}"
+          .\staging\auths.exe artifact sign $file `
+            --ci `
+            --commit $env:GITHUB_SHA `
+            --note "Release ${{ github.ref_name }}"
 
       - name: Upload artifact
         uses: actions/upload-artifact@v4
@@ -142,7 +168,7 @@ jobs:
           for asset in auths-macos-aarch64 auths-linux-x86_64 auths-linux-aarch64; do
             curl -sL "${BASE}/${asset}.tar.gz.auths.json" -o "${asset}.auths.json"
           done
-          extract_hash() { python3 -c "import json; d=json.load(open('$1')); print(d['payload']['digest']['hex'])"; }
+          extract_hash() { jq -r '.payload.digest.hex' "$1"; }
           {
             echo "version=${VERSION}"
             echo "macos_aarch64=$(extract_hash auths-macos-aarch64.auths.json)"
@@ -207,6 +233,6 @@ jobs:
           body: |
             Automated formula update from [release v${{ steps.hashes.outputs.version }}](https://github.com/auths-dev/auths/releases/tag/v${{ steps.hashes.outputs.version }}).
 
-            SHA256 hashes extracted from `.auths.json` attestation files (dogfooding).
+            SHA256 hashes extracted from `.auths.json` provenance files.
           branch: "update-${{ steps.hashes.outputs.version }}"
           base: main
diff --git a/.github/workflows/sign-commits.yml b/.github/workflows/sign-commits.yml
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -13,6 +13,7 @@ members = [
   "crates/auths-sdk",
   "crates/auths-infra-git",
   "crates/auths-infra-http",
+  "crates/auths-infra-rekor",
   "crates/auths-storage",
   "crates/auths-transparency",
   "crates/auths-keri",

diff --git a/README.md b/README.md
@@ -2,16 +2,26 @@
 
 [![CI](https://github.com/auths-dev/auths/actions/workflows/ci.yml/badge.svg)](https://github.com/auths-dev/auths/actions/workflows/ci.yml)
 [![Verify Commits](https://github.com/auths-dev/auths/actions/workflows/verify-commits.yml/badge.svg)](https://github.com/auths-dev/auths/actions/workflows/verify-commits.yml?query=branch%3Amain+event%3Apush)
-[![Sign Commits](https://github.com/auths-dev/auths/actions/workflows/sign-commits.yml/badge.svg)](https://github.com/auths-dev/auths/actions/workflows/sign-commits.yml?query=branch%3Amain)
+
 [![Verified with Auths](https://img.shields.io/badge/identity-verified%20with%20auths-brightgreen)](https://auths.dev)
 
 <!-- Auths Verification Badge (renders in HTML contexts, not on GitHub) -->
 <!-- <auths-verify repo="https://github.com/auths-dev/auths" mode="badge" size="md"></auths-verify> -->
 <!-- <script type="module" src="https://unpkg.com/@auths-dev/verify@0.3.0/dist/auths-verify.mjs"></script> -->
 
-Decentralized identity for individuals, AI agents, and their organizations.
+Cryptographic identity and signing for software supply chains.
+
+No central authority. No CA. No server. Just Git and cryptography.
 
-One identity, multiple devices, Git-native storage.
+## Quick Start
+
+```bash
+brew tap auths-dev/auths-cli
+brew install auths
+auths init                       # create your identity
+auths sign ./release.tar.gz      # sign an artifact
+auths verify ./release.tar.gz    # verify it
+```
 
 ## Install
 
@@ -28,7 +38,7 @@ cargo install --git https://github.com/auths-dev/auths.git auths_cli
 
 This installs `auths`, `auths-sign`, and `auths-verify`.
 
-## Quick Start
+## Walkthrough
 
 ### 1. Initialize your identity (30 seconds)
 
@@ -85,66 +95,6 @@ That's it. Your commits are now cryptographically signed with your decentralized
 
 ---
 
-## What can you do with Auths?
-
-**Link multiple devices to one identity**
-
-```bash
-# On your laptop
-auths device link --device-did did:key:z6Mk...
-
-# Now both devices can sign as the same identity
-```
-
-**Revoke a compromised device**
-
-```bash
-auths device revoke --device-did did:key:z6Mk...
-```
-
-**Verify any attestation**
-
-```bash
-auths verify attestation.json
-```
-
-**Sync allowed-signers for Git verification**
-
-```bash
-auths signers sync
-```
-
----
-
-## Agent & Workload Identity
-
-Auths treats AI agents and CI/CD runners as first-class identity holders — not borrowers of human credentials.
-
-**Give an agent its own identity:**
-
-```bash
-# Create a dedicated agent identity
-auths init --profile agent
-
-# Issue a scoped, time-limited attestation from a human to the agent
-auths attestation issue \
-  --subject did:key:z6MkAgent... \
-  --signer-type Agent \
-  --capabilities "sign:commit,deploy:staging" \
-  --delegated-by did:keri:EHuman... \
-  --expires-in 24h
-```
-
-The agent now holds a cryptographic attestation chain traceable back to the human who authorized it. Every action the agent takes is signed under its own key, scoped to only the capabilities it was granted, and verifiable by anyone — offline, without contacting a central authority.
-
-**How delegation works:** A human creates a signed attestation granting specific capabilities to an agent. The agent can further delegate a subset of those capabilities to sub-agents. Verifiers walk the chain back to the human sponsor. Capabilities can only narrow at each hop, never widen. See the [Delegation Guide](docs/getting-started/delegation.md) for a full walkthrough.
-
-**Cloud integration via OIDC:** The [OIDC bridge](docs/architecture/oidc-bridge.md) verifies an agent's attestation chain and issues a standard JWT consumable by AWS STS, GCP Workload Identity, and Azure AD — no cloud provider changes required.
-
-**MCP compatibility:** Auths attestations serve as the cryptographic identity layer behind MCP's OAuth-based authorization, providing verifiable delegation chains from human principals to AI agents.
-
----
-
 ## How it works
 
 Auths stores your identity and device attestations in a Git repository (`~/.auths` by default). Each device link is a cryptographically signed attestation stored as a Git ref.

diff --git a/crates/auths-cli/Cargo.toml b/crates/auths-cli/Cargo.toml
@@ -44,6 +44,7 @@ auths-telemetry = { workspace = true, features = ["sink-http"] }
 auths-verifier = { workspace = true, features = ["native"] }
 auths-infra-git.workspace = true
 auths-infra-http.workspace = true
+auths-infra-rekor = { path = "../auths-infra-rekor" }
 auths-utils.workspace = true
 tokio = { version = "1", features = ["rt-multi-thread", "macros", "time"] }
 ring.workspace = true

diff --git a/crates/auths-cli/src/cli.rs b/crates/auths-cli/src/cli.rs
@@ -9,7 +9,7 @@ use crate::commands::approval::ApprovalCommand;
 use crate::commands::artifact::ArtifactCommand;
 use crate::commands::audit::AuditCommand;
 use crate::commands::auth::AuthCommand;
-use crate::commands::ci::CiCommand;
+
 use crate::commands::commit::CommitCmd;
 use crate::commands::completions::CompletionsCommand;
 use crate::commands::config::ConfigCommand;
@@ -103,9 +103,6 @@ pub enum RootCommand {
     Config(ConfigCommand),
     Completions(CompletionsCommand),
 
-    // ── CI/CD ──
-    Ci(CiCommand),
-
     // ── Advanced (visible via --help-all) ──
     #[command(hide = true)]
     Publish(PublishCommand),