auths
Cryptographic identity for developers. One command to set up, Git-native storage, no central server.
Getting Started (10 seconds)
That's it. auths init generates keys, creates your identity, and configures Git signing.
Link another device
The Basics
auths sign — Sign a commit or artifact
auths verify — Verify signatures
auths status — See your identity at a glance
auths whoami — Show the current identity
auths doctor — Health checks
# Exit code 0 = all checks pass, 1 = something needs attention
auths tutorial — Interactive walkthrough
Artifact Signing
Sign, verify, and publish arbitrary files — binaries, packages, container images — with the same identity used for commits.
Sign an artifact
Verify an artifact
Batch sign multiple artifacts
Publish an attestation to a registry
The auths sign shorthand also supports artifact files — if the target is a file on disk, it signs the artifact instead of a commit:
Advanced Commands
Run auths --help-all to see the full command list:
| Group | What it does |
|---|---|
id |
Create, rotate, export, and register identities |
device |
Link, revoke, and manage device authorizations |
key |
List, import, export, and delete keys |
approval |
Manage approval workflows |
artifact |
Sign, verify, and publish arbitrary files |
policy |
Lint, compile, test, and diff authorization policies |
git |
Generate allowed-signers files, install hooks |
trust |
Pin identity-to-key bindings (TOFU) |
org |
Manage organizations, members, and attestations |
audit |
Generate signing audit reports |
agent |
Start/stop the SSH agent daemon |
witness |
Run or manage KERI witness servers |
scim |
SCIM provisioning integration |
config |
View and modify configuration |
emergency |
Key compromise response (revoke, rotate, freeze) |
completions |
Generate shell completions |
Run auths <group> --help for details on any group.
CI Setup (GitHub Actions)
auths init --profile ci creates a fresh, run-scoped identity backed by an encrypted
file (default .auths-ci/keys.enc) — no platform keychain, no Touch ID. It prints a block of
AUTHS_* exports; set those at the job level so a later auths sign step in the same job can
load the key. The identity is ephemeral, so the passphrase can be any value as long as it's
consistent across the job's steps.
Signing commits in CI
name: Signed Commits
on:
jobs:
build:
runs-on: ubuntu-latest
env:
AUTHS_KEYCHAIN_BACKEND: file
AUTHS_KEYCHAIN_FILE: .auths-ci/keys.enc
AUTHS_REPO: .auths-ci
AUTHS_PASSPHRASE: ${{ secrets.AUTHS_PASSPHRASE }}
steps:
- uses: actions/checkout@v4
- uses: dtolnay/rust-toolchain@stable
- name: Install Auths
run: cargo install --path crates/auths-cli --force
- name: Set up Auths (CI profile)
run: auths init --profile ci --non-interactive
- name: Sign HEAD
run: auths sign HEAD
Verifying commit signatures in CI
name: Verify Commit Signatures
on:
jobs:
verify:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- uses: dtolnay/rust-toolchain@stable
- name: Install Auths
run: cargo install --path crates/auths-cli --force
- name: Verify commits on this PR
run: auths verify HEAD
Installation
This installs three binaries: auths, auths-sign, and auths-verify. Ensure ~/.cargo/bin is in your PATH.