Meld fuses. Loom weaves. Synth transpiles. Kiln fires. Sigil seals.
The cryptographic backbone of the PulseEngine pipeline. Sigil signs WebAssembly modules with embedded signatures that can be verified completely offline — perfect for embedded systems, edge devices, and air-gapped environments. Every pipeline stage (fusion, optimization, transpilation) creates a signed transformation attestation recording what changed, which tool version ran, and cryptographic hashes of inputs and outputs.
Built on the WebAssembly modules signatures proposal and extended with Sigstore keyless signing, SLSA policy enforcement, and hardware security via TPM 2.0. All signatures are embedded directly in WebAssembly modules — no external registry required.
# Install from source
cargo install wsc-cli
# Or build from source
git clone https://github.com/pulseengine/sigil.git
cd sigil
cargo build --release# Sign in GitHub Actions (or any OIDC-enabled CI)
sigil sign --keyless -i module.wasm -o signed.wasm
# Verify offline — no network required
sigil verify --keyless -i signed.wasm
# With identity constraints
sigil verify --keyless -i signed.wasm \
--cert-identity "user@example.com" \
--cert-oidc-issuer "https://token.actions.githubusercontent.com"# Generate key pair
sigil keygen -k secret.key -K public.key
# Sign
sigil sign -k secret.key -i module.wasm -o signed.wasm
# Verify
sigil verify -K public.key -i signed.wasm- Offline-First Verification — Embedded signatures survive distribution; no network required at runtime
- Keyless Signing — Full Sigstore/Fulcio/Rekor integration with OIDC authentication (GitHub Actions, Google Cloud, GitLab CI)
- Keyless Verification — Verify Sigstore signatures offline with certificate chain and SET validation
- Enhanced Rekor Verification — Checkpoint-based verification with security hardening
- Bazel Integration — Full BUILD and MODULE.bazel support for hermetic builds
- WIT Component Model — Both library and CLI WebAssembly component builds
- OpenSSH Key Support — Works with Ed25519 SSH keys
- GitHub Integration — Verify using a GitHub user's SSH public keys
- Multiple Signatures — Compact representation for multi-signer workflows
| Scenario | Cosign/OCI | Sigil |
|---|---|---|
| IoT device with intermittent WiFi | Needs connectivity | Verify offline |
| Industrial controller | Requires registry access | Signature embedded |
| Edge CDN node | Registry latency | Local verification |
| Air-gapped network | Cannot verify | Works offline |
# Inspect a module
sigil show -i module.wasm
# Detach signature
sigil detach -i signed.wasm -o unsigned.wasm -S signature.bin
# Attach signature
sigil attach -i unsigned.wasm -o signed.wasm -S signature.bin
# Partial verification (specific custom sections)
sigil verify -K public.key -i signed.wasm --split "custom_section_regex"Note
Cross-cutting verification — Rocq mechanized proofs, Kani bounded model checking, Z3 SMT verification, and Verus Rust verification are used across the PulseEngine toolchain. Sigil attestation chains bind it all together.
- Checkpoint Implementation
- Security Audit
- Checkpoint Format
- Security Model
- Keyless Signing
- Testing Guide
Based on wasmsign2 by Frank Denis. MIT License — original wasmsign2 Copyright (c) 2024 Frank Denis.
MIT License — see LICENSE.
Part of PulseEngine — formally verified WebAssembly toolchain for safety-critical systems