Cryptographic trust for
Claude Code skills
Sign SKILL.md files with your GitHub identity. Verify authorship and integrity before execution. No long-lived keys — powered by Sigstore.
pip install, uvx, and
brew distribution coming in Phase 3.
How it works
Three steps. No key management. Fully transparent.
Sign
Authenticate with GitHub via OIDC. Sigstore issues a short-lived certificate binding your identity to an ephemeral key. Sign your SKILL.md — the key is discarded.
Log
The signature and certificate are recorded in Rekor, Sigstore's append-only transparency log. Anyone can audit the signing history.
Verify
Consumers verify the signature, certificate chain, and identity before execution. Tampered files, expired certs, and identity mismatches are caught automatically.