EVIDENCE TRAIL
Sigstore signing
Verbatim excerpts from the upstream sources cited on the mitigation page, with what each source does and does not prove. The upstream documents mandate "cryptographically signed and immutable" audit logs (OWASP T&M v1.1 §T8) and "digitally signed artifacts" for supply-chain integrity (§T17); Sigstore is Helmwart's named implementation of those requirements.
Last cross-checked against upstream sources: · 8 sources
References
Each entry shows what the source supports and what it does not prove.
OWASP Agentic AI — Threats & Mitigations v1.1
§T17 Supply Chain Compromise — Mitigation (threat summary table)
"Secure agent ecosystems by digitally signing artifacts, use verifiable SBOMs (AIBOMs, Agent SBOMs), and apply version control with peer review. Enforce strong authentication across the supply chains, restrict untrusted tool installations, and run agents in sandboxed, isolated environments."
Supports: Verbatim mandate to "digitally sign artifacts" as the primary supply-chain countermeasure for T17. Directly names the class of control this mitigation implements.
Does not prove: Does not name Sigstore, Cosign, Rekor, or Fulcio by name. The signing mechanism is left to the implementer.
OWASP Agentic AI — Threats & Mitigations v1.1
§T8 Repudiation & Untraceability — Mitigation (threat summary table)
"Implement comprehensive logging, cryptographic verification, enriched metadata, and real-time monitoring to ensure accountability and traceability. Require AI-generated logs to be cryptographically signed and immutable for regulatory compliance."
Supports: Verbatim requirement for logs to be "cryptographically signed and immutable" — the exact property Sigstore's keyless signing + Rekor append-only log provides for audit batches.
Does not prove: Does not specify a signing infrastructure; Sigstore is Helmwart's chosen implementation of this requirement, not the document's own recommendation.
OWASP Agentic AI — Threats & Mitigations v1.1
§Playbook 1: Preventing AI Agent Reasoning Manipulation — Step 1 (Proactive), bullet under "Reduce attack surface & Implement Agent behavior profiling"
"Enforce cryptographic logging and immutable audit trails to prevent log tampering."
Supports: Repeats the cryptographic-logging requirement in playbook context, pairing tamper-evidence with an explicit anti-tampering rationale. Corroborates the T8 table entry above.
Does not prove: Playbook 1 is scoped to reasoning manipulation and goal integrity; the audit-log signing recommendation is present but not the primary focus of this playbook.
OWASP Top 10 for Agentic Applications 2026
§ASI04 Agentic Supply Chain Vulnerabilities — Prevention and Mitigation Guidelines, item 1
"Provenance and SBOMs, AIBOMs: Sign and attest manifests, prompts, and tool definitions; require and operationalize SBOMs, AIBOMs with periodic attestations; maintain inventory of AI components; use curated registries and block untrusted sources."
Supports: Names signing of "manifests, prompts, and tool definitions" with attestation as the first mitigation for agentic supply-chain vulnerabilities — the precise artifact types Sigstore's cosign sign-blob and cosign attest commands address.
Does not prove: Does not name Sigstore specifically. Covers a broader class of SBOMs and AIBOMs that Sigstore alone does not fully address.
Sigstore — Official Documentation
sigstore.dev/about/overview — "Keyless signing" section
"After the client signs the artifact, the artifact's digest, signature and certificate are persisted in a transparency log: an immutable, append-only ledger known as Rekor."
Supports: Primary upstream definition of the Sigstore signing flow. Confirms the append-only immutability property that underlies the tamper-evidence claim for audit logs.
Does not prove: Vendor documentation. Does not constitute independent security validation; the OSTIF/Include Security assessment (2022) is the independent verification source.
Rekor — Transparency Log Overview
docs.sigstore.dev/logging/overview — overview section
"Rekor aims to provide an immutable, tamper-resistant ledger of metadata generated within a software project's supply chain. Auditors can monitor the log for consistency, meaning that the log remains append-only and entries are never mutated or removed."
Supports: Verbatim description of Rekor's append-only, tamper-resistant properties. Directly underpins the T8 claim that Sigstore-signed audit entries are detectable if tampered with or deleted.
Does not prove: Does not address AI-specific threats or agentic workloads. The extension to agent audit logs is Helmwart's application of the general mechanism.
GitHub Security Blog — "Introducing npm package provenance"
"npm package provenance" blog post — "The problem" and "Implementation" sections
"trust in the source code does not translate into trust in the published package … you must have visibility into the process by which the source was translated into the published artifact … the provenance attestation is uploaded to Sigstore's Rekor service. This public, tamper-evident transparency log makes it possible to detect if someone later attempts to modify the provenance."
Supports: Independent production evidence (at npm ecosystem scale) that Sigstore-backed provenance attestations provide "tamper-evident" guarantees detectable after the fact — the same property claimed for agent artifact signing.
Does not prove: Describes a package-registry use case, not an agentic AI pipeline. The applicability to agent-card or plugin signing is an extrapolation by Helmwart.
NIST AI 600-1 — Generative AI Profile (NIST AI RMF)
GOVERN 6.1 — "Policies and procedures are in place that address AI risks associated with third-party entities" — Action GV-6.1-005
"Implement a use-case based supplier risk assessment framework to evaluate and monitor third-party entities' performance and adherence to content provenance standards and technologies to detect anomalies and unauthorized changes."
Supports: Names "content provenance standards and technologies" as the audit instrument for third-party AI component risk, with anomaly detection as the monitoring goal. Establishes a normative basis for artifact provenance controls in AI deployments.
Does not prove: Does not name Sigstore or any specific signing mechanism. The GOVERN 6.1 actions are governance-level; they do not mandate keyless signing specifically.