v0.7.0

🎉 wsc vv0.7.0 Release

📦 Native CLI Binaries

Platform	Binary	TPM2 Support
Linux x86_64	wsc-linux-x86_64	❌
Linux x86_64	wsc-linux-x86_64-tpm2	✅
Linux aarch64	wsc-linux-aarch64	❌
macOS x86_64 (Intel)	wsc-macos-x86_64	❌
macOS aarch64 (Apple Silicon)	wsc-macos-aarch64	❌
Windows x86_64	wsc-windows-x86_64.exe	❌

📦 WebAssembly Components

Component Library (WIT Interface):

• wsc-component.wasm - WebAssembly component with WIT bindings
• Signed OCI artifact: ghcr.io/pulseengine/wsc:v0.7.0

CLI Tool (WASI Binary):

• wsc-cli.wasm - WASI command-line tool for Wasmtime
• Signed OCI artifact: ghcr.io/pulseengine/wsc:v0.7.0-cli

🔐 Security Features

• ✅ WASM Module Signing - Signed with wsc keyless signing (dogfooding!)
• ✅ OCI Artifact Signing - Signed with Cosign using GitHub OIDC (keyless)
• ✅ SLSA Provenance - Build attestation included
• ✅ SHA256 Checksums - For download verification

Keyless Signing:

• Identity: GitHub Actions OIDC
• Certificate: Short-lived from Fulcio (Sigstore)
• Transparency: Logged in Rekor

🚀 Quick Start

# Download native CLI for your platform
TAG=v0.7.0

# Linux x86_64
curl -LO https://github.com/pulseengine/sigil/releases/download/${TAG}/wsc-linux-x86_64
chmod +x wsc-linux-x86_64
./wsc-linux-x86_64 --version

# macOS Apple Silicon
curl -LO https://github.com/pulseengine/sigil/releases/download/${TAG}/wsc-macos-aarch64
chmod +x wsc-macos-aarch64
./wsc-macos-aarch64 --version

🔍 Verify Signatures

# Verify WASM module signature
wsc verify --keyless -i wsc-component.wasm

# Verify OCI artifact signature
cosign verify \
  --certificate-identity-regexp="https://github.com/pulseengine/sigil" \
  --certificate-oidc-issuer="https://token.actions.githubusercontent.com" \
  ghcr.io/pulseengine/wsc:${TAG}

📚 Documentation

See README.md for full documentation.

v0.6.1

🎉 wsc vv0.6.1 Release

📦 Native CLI Binaries

Platform	Binary	TPM2 Support
Linux x86_64	wsc-linux-x86_64	❌
Linux x86_64	wsc-linux-x86_64-tpm2	✅
Linux aarch64	wsc-linux-aarch64	❌
macOS x86_64 (Intel)	wsc-macos-x86_64	❌
macOS aarch64 (Apple Silicon)	wsc-macos-aarch64	❌
Windows x86_64	wsc-windows-x86_64.exe	❌

📦 WebAssembly Components

Component Library (WIT Interface):

• wsc-component.wasm - WebAssembly component with WIT bindings
• Signed OCI artifact: ghcr.io/pulseengine/wsc:v0.6.1

CLI Tool (WASI Binary):

• wsc-cli.wasm - WASI command-line tool for Wasmtime
• Signed OCI artifact: ghcr.io/pulseengine/wsc:v0.6.1-cli

🔐 Security Features

• ✅ WASM Module Signing - Signed with wsc keyless signing (dogfooding!)
• ✅ OCI Artifact Signing - Signed with Cosign using GitHub OIDC (keyless)
• ✅ SLSA Provenance - Build attestation included
• ✅ SHA256 Checksums - For download verification

Keyless Signing:

• Identity: GitHub Actions OIDC
• Certificate: Short-lived from Fulcio (Sigstore)
• Transparency: Logged in Rekor

🚀 Quick Start

# Download native CLI for your platform
TAG=v0.6.1

# Linux x86_64
curl -LO https://github.com/pulseengine/sigil/releases/download/${TAG}/wsc-linux-x86_64
chmod +x wsc-linux-x86_64
./wsc-linux-x86_64 --version

# macOS Apple Silicon
curl -LO https://github.com/pulseengine/sigil/releases/download/${TAG}/wsc-macos-aarch64
chmod +x wsc-macos-aarch64
./wsc-macos-aarch64 --version

🔍 Verify Signatures

# Verify WASM module signature
wsc verify --keyless -i wsc-component.wasm

# Verify OCI artifact signature
cosign verify \
  --certificate-identity-regexp="https://github.com/pulseengine/sigil" \
  --certificate-oidc-issuer="https://token.actions.githubusercontent.com" \
  ghcr.io/pulseengine/wsc:${TAG}

📚 Documentation

See README.md for full documentation.

v0.6.0

What's Changed

• fix: only publish crates on tag pushes by @avrabe in #43
• docs: align README with PulseEngine visual identity by @avrabe in #44
• docs: PulseEngine branding and terminology alignment by @avrabe in #45
• fix: rotate Rekor TLS certificate pin by @avrabe in #51
• feat: add Rivet STPA-Sec traceability and convert security docs by @avrabe in #50
• fix: enforce fail-closed Rekor verification and close STPA-Sec coverage gaps by @avrabe in #52
• feat: add OIDC issuer validation for keyless signing (UCA-12) by @avrabe in #53
• fix: Phase 1 security hardening — sentinel constant, OIDC warnings, skip_rekor by @avrabe in #54
• feat: add ELF and MCUboot signing support with format abstraction (Phase 2) by @avrabe in #55
• feat: add fuzz targets for ELF, MCUboot, and format detection (CV-15) by @avrabe in #56
• feat: add Kani proof harnesses and formal verification strategy (19 proofs) by @avrabe in #57
• feat: transcoding attestation protocol, Nix flake, SLSA L3 artifacts by @avrabe in #58
• feat: build environment attestation for SLSA provenance by @avrabe in #59
• feat: cosign delegation and Rekor proof caching (Phase 3.1 + 4.1) by @avrabe in #60
• feat: Verus formal proofs, PQC module, rules_verus integration by @avrabe in #61
• feat: OCI referrers, Sigstore bundle, Lean4 proofs, CI hardening by @avrabe in #62
• feat: fill Verus/Lean proofs and wire proof cache into verifier by @avrabe in #63
• ci: make Kani bounded model checking a required check by @avrabe in #64
• fix: target Kani proofs to wsc package with bounded unwind by @avrabe in #65
• feat: SCT monitoring, checkpoint consistency, fix rivet validation by @avrabe in #66
• chore: release v0.6.0 by @avrabe in #67
• feat: compliance report in release pipeline by @avrabe in #68

Full Changelog: v0.5.1...v0.6.0

wsc v0.5.1

🎉 wsc v0.5.1 Release

📦 Native CLI Binaries

Platform	Binary	TPM2 Support
Linux x86_64	wsc-linux-x86_64	❌
Linux x86_64	wsc-linux-x86_64-tpm2	✅
Linux aarch64	wsc-linux-aarch64	❌
macOS x86_64 (Intel)	wsc-macos-x86_64	❌
macOS aarch64 (Apple Silicon)	wsc-macos-aarch64	❌
Windows x86_64	wsc-windows-x86_64.exe	❌

📦 Rust Crates

Available on crates.io:

• wsc-attestation v0.5.1
• wsc v0.5.1
• wsc-cli v0.5.1

✨ What's New

This release includes comprehensive cross-platform native CLI builds:

• 6 platform targets with pre-built binaries
• TPM2 hardware security support on Linux
• Keyless signing via Sigstore/Fulcio
• Rekor transparency log integration
• Certificate pinning with shared TLS config

v0.4.1 - wsc-attestation crate

🎉 wsc WebAssembly Components Release

📦 What's Included

Component Library (WIT Interface):

• wsc-component.wasm - WebAssembly component library with WIT bindings
• wsc-component.wasm.sha256 - SHA256 checksum
• Signed OCI artifact: ghcr.io/pulseengine/wsc:v0.4.1

CLI Tool (WASI Binary):

• wsc-cli.wasm - WASI command-line tool for Wasmtime
• wsc-cli.wasm.sha256 - SHA256 checksum
• Signed OCI artifact: ghcr.io/pulseengine/wsc:v0.4.1-cli

🔐 Security Features

• ✅ WASM Module Signing - Signed with wsc keyless signing (dogfooding!)
• ✅ OCI Artifact Signing - Signed with Cosign using GitHub OIDC (keyless)
• ✅ SLSA Provenance - Build attestation included
• ✅ SHA256 Checksums - For download verification

wsc Keyless Signing:

• Identity: GitHub Actions OIDC
• Certificate: Short-lived from Fulcio (Sigstore)
• Transparency: Logged in Rekor transparency log

🚀 Usage

Download WASM Component

# Download and verify checksum
TAG=v0.4.1
wget https://github.com/pulseengine/wsc/releases/download/${TAG}/wsc.wasm
wget https://github.com/pulseengine/wsc/releases/download/${TAG}/wsc.wasm.sha256
sha256sum -c wsc.wasm.sha256

Pull Signed OCI Artifact

TAG=v0.4.1

# Pull the signed OCI artifact with oras
oras pull ghcr.io/pulseengine/wsc:${TAG}

# Verify signature with Cosign
cosign verify \
  --certificate-identity-regexp="https://github.com/pulseengine/wsc" \
  --certificate-oidc-issuer="https://token.actions.githubusercontent.com" \
  ghcr.io/pulseengine/wsc:${TAG}

# Verify SLSA provenance
cosign verify-attestation \
  --type slsaprovenance \
  --certificate-identity-regexp="https://github.com/pulseengine/wsc" \
  --certificate-oidc-issuer="https://token.actions.githubusercontent.com" \
  ghcr.io/pulseengine/wsc:${TAG}

🔍 Verification

Verify WASM Module Signature (wsc)

# Verify keyless signature (offline - no network required!)
wsc verify --keyless \
  --cert-identity "https://github.com/pulseengine/wsc/.github/workflows/release.yml@refs/tags/${TAG}" \
  --cert-oidc-issuer "https://token.actions.githubusercontent.com" \
  -i wsc-component.wasm

# Or verify without identity constraints
wsc verify --keyless -i wsc-component.wasm

Verify OCI Artifact Signature (Cosign)

TAG=v0.4.1

# Verify Cosign signature
cosign verify \
  --certificate-identity-regexp="https://github.com/pulseengine/wsc" \
  --certificate-oidc-issuer="https://token.actions.githubusercontent.com" \
  ghcr.io/pulseengine/wsc:${TAG}

# Verify SLSA provenance
cosign verify-attestation \
  --type slsaprovenance \
  --certificate-identity-regexp="https://github.com/pulseengine/wsc" \
  --certificate-oidc-issuer="https://token.actions.githubusercontent.com" \
  ghcr.io/pulseengine/wsc:${TAG}

All releases are:

• Built in GitHub Actions with full transparency
• Signed with wsc keyless signing (WASM modules)
• Signed with Cosign using keyless signing (OCI artifacts)
• Attested with SLSA provenance
• Checksummed with SHA256

📚 Documentation

See README.md for usage details.

v0.4.0

🎉 wsc WebAssembly Components Release

📦 What's Included

Component Library (WIT Interface):

• wsc-component.wasm - WebAssembly component library with WIT bindings
• wsc-component.wasm.sha256 - SHA256 checksum
• Signed OCI artifact: ghcr.io/pulseengine/wsc:v0.4.0

CLI Tool (WASI Binary):

• wsc-cli.wasm - WASI command-line tool for Wasmtime
• wsc-cli.wasm.sha256 - SHA256 checksum
• Signed OCI artifact: ghcr.io/pulseengine/wsc:v0.4.0-cli

🔐 Security Features

• ✅ WASM Module Signing - Signed with wsc keyless signing (dogfooding!)
• ✅ OCI Artifact Signing - Signed with Cosign using GitHub OIDC (keyless)
• ✅ SLSA Provenance - Build attestation included
• ✅ SHA256 Checksums - For download verification

wsc Keyless Signing:

• Identity: GitHub Actions OIDC
• Certificate: Short-lived from Fulcio (Sigstore)
• Transparency: Logged in Rekor transparency log

🚀 Usage

Download WASM Component

# Download and verify checksum
TAG=v0.4.0
wget https://github.com/pulseengine/wsc/releases/download/${TAG}/wsc.wasm
wget https://github.com/pulseengine/wsc/releases/download/${TAG}/wsc.wasm.sha256
sha256sum -c wsc.wasm.sha256

Pull Signed OCI Artifact

TAG=v0.4.0

# Pull the signed OCI artifact with oras
oras pull ghcr.io/pulseengine/wsc:${TAG}

# Verify signature with Cosign
cosign verify \
  --certificate-identity-regexp="https://github.com/pulseengine/wsc" \
  --certificate-oidc-issuer="https://token.actions.githubusercontent.com" \
  ghcr.io/pulseengine/wsc:${TAG}

# Verify SLSA provenance
cosign verify-attestation \
  --type slsaprovenance \
  --certificate-identity-regexp="https://github.com/pulseengine/wsc" \
  --certificate-oidc-issuer="https://token.actions.githubusercontent.com" \
  ghcr.io/pulseengine/wsc:${TAG}

🔍 Verification

Verify WASM Module Signature (wsc)

# Verify keyless signature (offline - no network required!)
wsc verify --keyless \
  --cert-identity "https://github.com/pulseengine/wsc/.github/workflows/release.yml@refs/tags/${TAG}" \
  --cert-oidc-issuer "https://token.actions.githubusercontent.com" \
  -i wsc-component.wasm

# Or verify without identity constraints
wsc verify --keyless -i wsc-component.wasm

Verify OCI Artifact Signature (Cosign)

TAG=v0.4.0

# Verify Cosign signature
cosign verify \
  --certificate-identity-regexp="https://github.com/pulseengine/wsc" \
  --certificate-oidc-issuer="https://token.actions.githubusercontent.com" \
  ghcr.io/pulseengine/wsc:${TAG}

# Verify SLSA provenance
cosign verify-attestation \
  --type slsaprovenance \
  --certificate-identity-regexp="https://github.com/pulseengine/wsc" \
  --certificate-oidc-issuer="https://token.actions.githubusercontent.com" \
  ghcr.io/pulseengine/wsc:${TAG}

All releases are:

• Built in GitHub Actions with full transparency
• Signed with wsc keyless signing (WASM modules)
• Signed with Cosign using keyless signing (OCI artifacts)
• Attested with SLSA provenance
• Checksummed with SHA256

📚 Documentation

See README.md for usage details.

v0.3.1

🎉 wsc WebAssembly Components Release

📦 What's Included

Component Library (WIT Interface):

• wsc-component.wasm - WebAssembly component library with WIT bindings
• wsc-component.wasm.sha256 - SHA256 checksum
• Signed OCI artifact: ghcr.io/pulseengine/wsc:

CLI Tool (WASI Binary):

• wsc-cli.wasm - WASI command-line tool for Wasmtime
• wsc-cli.wasm.sha256 - SHA256 checksum
• Signed OCI artifact: ghcr.io/pulseengine/wsc:-cli

🔐 Security Features

• ✅ WASM Module Signing - Signed with wsc keyless signing (dogfooding!)
• ✅ OCI Artifact Signing - Signed with Cosign using GitHub OIDC (keyless)
• ✅ SLSA Provenance - Build attestation included
• ✅ SHA256 Checksums - For download verification

wsc Keyless Signing:

• Identity: GitHub Actions OIDC
• Certificate: Short-lived from Fulcio (Sigstore)
• Transparency: Logged in Rekor transparency log

🚀 Usage

Download WASM Component

# Download and verify checksum
TAG=
wget https://github.com/pulseengine/wsc/releases/download/${TAG}/wsc.wasm
wget https://github.com/pulseengine/wsc/releases/download/${TAG}/wsc.wasm.sha256
sha256sum -c wsc.wasm.sha256

Pull Signed OCI Artifact

TAG=

# Pull the signed OCI artifact with oras
oras pull ghcr.io/pulseengine/wsc:${TAG}

# Verify signature with Cosign
cosign verify \
  --certificate-identity-regexp="https://github.com/pulseengine/wsc" \
  --certificate-oidc-issuer="https://token.actions.githubusercontent.com" \
  ghcr.io/pulseengine/wsc:${TAG}

# Verify SLSA provenance
cosign verify-attestation \
  --type slsaprovenance \
  --certificate-identity-regexp="https://github.com/pulseengine/wsc" \
  --certificate-oidc-issuer="https://token.actions.githubusercontent.com" \
  ghcr.io/pulseengine/wsc:${TAG}

🔍 Verification

Verify WASM Module Signature (wsc)

# Verify keyless signature (offline - no network required!)
wsc verify --keyless \
  --cert-identity "https://github.com/pulseengine/wsc/.github/workflows/release.yml@refs/tags/${TAG}" \
  --cert-oidc-issuer "https://token.actions.githubusercontent.com" \
  -i wsc-component.wasm

# Or verify without identity constraints
wsc verify --keyless -i wsc-component.wasm

Verify OCI Artifact Signature (Cosign)

TAG=

# Verify Cosign signature
cosign verify \
  --certificate-identity-regexp="https://github.com/pulseengine/wsc" \
  --certificate-oidc-issuer="https://token.actions.githubusercontent.com" \
  ghcr.io/pulseengine/wsc:${TAG}

# Verify SLSA provenance
cosign verify-attestation \
  --type slsaprovenance \
  --certificate-identity-regexp="https://github.com/pulseengine/wsc" \
  --certificate-oidc-issuer="https://token.actions.githubusercontent.com" \
  ghcr.io/pulseengine/wsc:${TAG}

All releases are:

• Built in GitHub Actions with full transparency
• Signed with wsc keyless signing (WASM modules)
• Signed with Cosign using keyless signing (OCI artifacts)
• Attested with SLSA provenance
• Checksummed with SHA256

📚 Documentation

See README.md for usage details.

v0.3.0

🎉 wsc WebAssembly Components Release

📦 What's Included

Component Library (WIT Interface):

• wsc-component.wasm - WebAssembly component library with WIT bindings
• wsc-component.wasm.sha256 - SHA256 checksum
• Signed OCI artifact: ghcr.io/pulseengine/wsc:

CLI Tool (WASI Binary):

• wsc-cli.wasm - WASI command-line tool for Wasmtime
• wsc-cli.wasm.sha256 - SHA256 checksum
• Signed OCI artifact: ghcr.io/pulseengine/wsc:-cli

🔐 Security Features

• ✅ WASM Module Signing - Signed with wsc keyless signing (dogfooding!)
• ✅ OCI Artifact Signing - Signed with Cosign using GitHub OIDC (keyless)
• ✅ SLSA Provenance - Build attestation included
• ✅ SHA256 Checksums - For download verification

wsc Keyless Signing:

• Identity: GitHub Actions OIDC
• Certificate: Short-lived from Fulcio (Sigstore)
• Transparency: Logged in Rekor transparency log

🚀 Usage

Download WASM Component

# Download and verify checksum
TAG=
wget https://github.com/pulseengine/wsc/releases/download/${TAG}/wsc.wasm
wget https://github.com/pulseengine/wsc/releases/download/${TAG}/wsc.wasm.sha256
sha256sum -c wsc.wasm.sha256

Pull Signed OCI Artifact

TAG=

# Pull the signed OCI artifact with oras
oras pull ghcr.io/pulseengine/wsc:${TAG}

# Verify signature with Cosign
cosign verify \
  --certificate-identity-regexp="https://github.com/pulseengine/wsc" \
  --certificate-oidc-issuer="https://token.actions.githubusercontent.com" \
  ghcr.io/pulseengine/wsc:${TAG}

# Verify SLSA provenance
cosign verify-attestation \
  --type slsaprovenance \
  --certificate-identity-regexp="https://github.com/pulseengine/wsc" \
  --certificate-oidc-issuer="https://token.actions.githubusercontent.com" \
  ghcr.io/pulseengine/wsc:${TAG}

🔍 Verification

Verify WASM Module Signature (wsc)

# Verify keyless signature (offline - no network required!)
wsc verify --keyless \
  --cert-identity "https://github.com/pulseengine/wsc/.github/workflows/release.yml@refs/tags/${TAG}" \
  --cert-oidc-issuer "https://token.actions.githubusercontent.com" \
  -i wsc-component.wasm

# Or verify without identity constraints
wsc verify --keyless -i wsc-component.wasm

Verify OCI Artifact Signature (Cosign)

TAG=

# Verify Cosign signature
cosign verify \
  --certificate-identity-regexp="https://github.com/pulseengine/wsc" \
  --certificate-oidc-issuer="https://token.actions.githubusercontent.com" \
  ghcr.io/pulseengine/wsc:${TAG}

# Verify SLSA provenance
cosign verify-attestation \
  --type slsaprovenance \
  --certificate-identity-regexp="https://github.com/pulseengine/wsc" \
  --certificate-oidc-issuer="https://token.actions.githubusercontent.com" \
  ghcr.io/pulseengine/wsc:${TAG}

All releases are:

• Built in GitHub Actions with full transparency
• Signed with wsc keyless signing (WASM modules)
• Signed with Cosign using keyless signing (OCI artifacts)
• Attested with SLSA provenance
• Checksummed with SHA256

📚 Documentation

See README.md for usage details.

v0.2.7-rc3

🎉 wsc WebAssembly Components Release

📦 What's Included

Component Library (WIT Interface):

• wsc-component.wasm - WebAssembly component library with WIT bindings
• wsc-component.wasm.sha256 - SHA256 checksum
• Signed OCI artifact: ghcr.io/pulseengine/wsc:v0.2.7-rc3

CLI Tool (WASI Binary):

• wsc-cli.wasm - WASI command-line tool for Wasmtime
• wsc-cli.wasm.sha256 - SHA256 checksum
• Signed OCI artifact: ghcr.io/pulseengine/wsc:v0.2.7-rc3-cli

🔐 Security Features

• ✅ WASM Module Signing - Signed with wsc keyless signing (dogfooding!)
• ✅ OCI Artifact Signing - Signed with Cosign using GitHub OIDC (keyless)
• ✅ SLSA Provenance - Build attestation included
• ✅ SHA256 Checksums - For download verification

wsc Keyless Signing:

• Identity: GitHub Actions OIDC
• Certificate: Short-lived from Fulcio (Sigstore)
• Transparency: Logged in Rekor transparency log

🚀 Usage

Download WASM Component

# Download and verify checksum
TAG=v0.2.7-rc3
wget https://github.com/pulseengine/wsc/releases/download/${TAG}/wsc.wasm
wget https://github.com/pulseengine/wsc/releases/download/${TAG}/wsc.wasm.sha256
sha256sum -c wsc.wasm.sha256

Pull Signed OCI Artifact

TAG=v0.2.7-rc3

# Pull the signed OCI artifact with oras
oras pull ghcr.io/pulseengine/wsc:${TAG}

# Verify signature with Cosign
cosign verify \
  --certificate-identity-regexp="https://github.com/pulseengine/wsc" \
  --certificate-oidc-issuer="https://token.actions.githubusercontent.com" \
  ghcr.io/pulseengine/wsc:${TAG}

# Verify SLSA provenance
cosign verify-attestation \
  --type slsaprovenance \
  --certificate-identity-regexp="https://github.com/pulseengine/wsc" \
  --certificate-oidc-issuer="https://token.actions.githubusercontent.com" \
  ghcr.io/pulseengine/wsc:${TAG}

🔍 Verification

Verify WASM Module Signature (wsc)

# Download a release (once wsc verification is implemented)
# wsc verify --keyless \
#   --identity "https://github.com/pulseengine/wsc" \
#   --issuer "https://token.actions.githubusercontent.com" \
#   --input-file wsc-component.wasm

# For now, signatures are embedded but verification is pending implementation

Verify OCI Artifact Signature (Cosign)

TAG=v0.2.7-rc3

# Verify Cosign signature
cosign verify \
  --certificate-identity-regexp="https://github.com/pulseengine/wsc" \
  --certificate-oidc-issuer="https://token.actions.githubusercontent.com" \
  ghcr.io/pulseengine/wsc:${TAG}

# Verify SLSA provenance
cosign verify-attestation \
  --type slsaprovenance \
  --certificate-identity-regexp="https://github.com/pulseengine/wsc" \
  --certificate-oidc-issuer="https://token.actions.githubusercontent.com" \
  ghcr.io/pulseengine/wsc:${TAG}

All releases are:

• Built in GitHub Actions with full transparency
• Signed with wsc keyless signing (WASM modules)
• Signed with Cosign using keyless signing (OCI artifacts)
• Attested with SLSA provenance
• Checksummed with SHA256

📚 Documentation

See README.md for usage details.

v0.2.7-rc.1

🎉 wsc WebAssembly Components Release

📦 What's Included

Component Library (WIT Interface):

• wsc-component.wasm - WebAssembly component library with WIT bindings
• wsc-component.wasm.sha256 - SHA256 checksum
• Signed OCI artifact: ghcr.io/pulseengine/wsc:

CLI Tool (WASI Binary):

• wsc-cli.wasm - WASI command-line tool for Wasmtime
• wsc-cli.wasm.sha256 - SHA256 checksum
• Signed OCI artifact: ghcr.io/pulseengine/wsc:-cli

🔐 Security Features

• ✅ WASM Module Signing - Signed with wsc keyless signing (dogfooding!)
• ✅ OCI Artifact Signing - Signed with Cosign using GitHub OIDC (keyless)
• ✅ SLSA Provenance - Build attestation included
• ✅ SHA256 Checksums - For download verification

wsc Keyless Signing:

• Identity: GitHub Actions OIDC
• Certificate: Short-lived from Fulcio (Sigstore)
• Transparency: Logged in Rekor transparency log

🚀 Usage

Download WASM Component

# Download and verify checksum
TAG=
wget https://github.com/pulseengine/wsc/releases/download/${TAG}/wsc.wasm
wget https://github.com/pulseengine/wsc/releases/download/${TAG}/wsc.wasm.sha256
sha256sum -c wsc.wasm.sha256

Pull Signed OCI Artifact

TAG=

# Pull the signed OCI artifact with oras
oras pull ghcr.io/pulseengine/wsc:${TAG}

# Verify signature with Cosign
cosign verify \
  --certificate-identity-regexp="https://github.com/pulseengine/wsc" \
  --certificate-oidc-issuer="https://token.actions.githubusercontent.com" \
  ghcr.io/pulseengine/wsc:${TAG}

# Verify SLSA provenance
cosign verify-attestation \
  --type slsaprovenance \
  --certificate-identity-regexp="https://github.com/pulseengine/wsc" \
  --certificate-oidc-issuer="https://token.actions.githubusercontent.com" \
  ghcr.io/pulseengine/wsc:${TAG}

🔍 Verification

Verify WASM Module Signature (wsc)

# Download a release (once wsc verification is implemented)
# wsc verify --keyless \
#   --identity "https://github.com/pulseengine/wsc" \
#   --issuer "https://token.actions.githubusercontent.com" \
#   --input-file wsc-component.wasm

# For now, signatures are embedded but verification is pending implementation

Verify OCI Artifact Signature (Cosign)

TAG=

# Verify Cosign signature
cosign verify \
  --certificate-identity-regexp="https://github.com/pulseengine/wsc" \
  --certificate-oidc-issuer="https://token.actions.githubusercontent.com" \
  ghcr.io/pulseengine/wsc:${TAG}

# Verify SLSA provenance
cosign verify-attestation \
  --type slsaprovenance \
  --certificate-identity-regexp="https://github.com/pulseengine/wsc" \
  --certificate-oidc-issuer="https://token.actions.githubusercontent.com" \
  ghcr.io/pulseengine/wsc:${TAG}

All releases are:

• Built in GitHub Actions with full transparency
• Signed with wsc keyless signing (WASM modules)
• Signed with Cosign using keyless signing (OCI artifacts)
• Attested with SLSA provenance
• Checksummed with SHA256

📚 Documentation

See README.md for usage details.