Summary
Implement cryptographic signing and verification of skill images using Sigstore/Cosign, enabling supply chain security for distributed skills.
Motivation
Unsigned skill registries are a supply chain risk. The ClawHavoc incident (Feb 2026) saw 341 malicious skills on ClawHub — signing is essential for trust in distributed skill ecosystems.
Users need to:
- Sign skill images when publishing to registries
- Verify signatures when pulling/installing skills
- Trust that a skill hasn't been tampered with after publication
Current state
The design docs (docs/design/2026-04-15-oci-skill-registry-design.md, lines 757–961) have extensive specifications for RHTAS integration, but nothing is implemented:
| Component |
Status |
pkg/verify/ package |
Planned in CLAUDE.md, directory doesn't exist |
skillctl sign command |
Not implemented |
skillctl verify command |
Not implemented |
| sigstore-go dependency |
Not in go.mod |
| Cosign integration |
Not started |
Proposed CLI
# Sign a skill image (keyless, OIDC-based)
skillctl sign quay.io/skillimage/summarize:v1.2.0
# Sign with a key pair
skillctl sign --key cosign.key quay.io/skillimage/summarize:v1.2.0
# Verify a skill image
skillctl verify quay.io/skillimage/summarize:v1.2.0
# Verify with a specific public key
skillctl verify --key cosign.pub quay.io/skillimage/summarize:v1.2.0
# Pull with mandatory verification
skillctl pull --verify quay.io/skillimage/summarize:v1.2.0
Design (from existing specs)
Signing flow
- User publishes a skill image with
skillctl push
- User signs with
skillctl sign (or signing happens automatically during promote to published state)
- Signature is stored as a Cosign-compatible OCI artifact alongside the image
Verification flow
- During
skillctl pull or skillctl install, optionally verify signature
- Check signature against Rekor transparency log (keyless) or provided public key
- Reject or warn on unsigned/invalid skills
Integration with Red Hat Trusted Artifact Signer (RHTAS)
- Fulcio for short-lived certificates (keyless signing)
- Rekor for transparency log
- TUF for root of trust distribution
- Compatible with enterprise Sigstore deployments
Implementation plan
Phase 1: Core signing and verification
Phase 2: Keyless and policy
Phase 3: Enterprise (RHTAS)
References
- Existing design:
docs/design/2026-04-15-oci-skill-registry-design.md (lines 757–961)
- Implementation spec:
docs/design/2026-04-16-implementation-spec.md (deferred to phase 2+)
- Sigstore
- Red Hat Trusted Artifact Signer
Summary
Implement cryptographic signing and verification of skill images using Sigstore/Cosign, enabling supply chain security for distributed skills.
Motivation
Unsigned skill registries are a supply chain risk. The ClawHavoc incident (Feb 2026) saw 341 malicious skills on ClawHub — signing is essential for trust in distributed skill ecosystems.
Users need to:
Current state
The design docs (
docs/design/2026-04-15-oci-skill-registry-design.md, lines 757–961) have extensive specifications for RHTAS integration, but nothing is implemented:pkg/verify/packageskillctl signcommandskillctl verifycommandProposed CLI
Design (from existing specs)
Signing flow
skillctl pushskillctl sign(or signing happens automatically duringpromotetopublishedstate)Verification flow
skillctl pullorskillctl install, optionally verify signatureIntegration with Red Hat Trusted Artifact Signer (RHTAS)
Implementation plan
Phase 1: Core signing and verification
sigstore-go/cosigndependenciespkg/verify/— verify signatures on skill imagesskillctl verifycommandskillctl signcommand (key-pair mode)Phase 2: Keyless and policy
--verifyflag onskillctl pullandskillctl installPhase 3: Enterprise (RHTAS)
promotelifecycle (auto-sign on publish)References
docs/design/2026-04-15-oci-skill-registry-design.md(lines 757–961)docs/design/2026-04-16-implementation-spec.md(deferred to phase 2+)