sigstore-a2a

Keyless signing library for A2A Agent Cards using Sigstore and SLSA provenance.

Overview

sigstore-a2a provides cryptographic signing and verification for A2A (Agent-to-Agent) Protocol Agent Cards using Sigstore's keyless signing infrastructure.

Key Features

• Keyless Signing: No need to manage private keys - uses Sigstore's OIDC-based signing
• SLSA Provenance: Optional build provenance attestations for supply chain security
• CI/CD Integration: Works seamlessly with GitHub Actions, GitLab CI, and other CI systems
• Verification: Cryptographic verification of Agent Card signatures with identity constraints

Quick Example

Signing an Agent Card

from sigstore_a2a import AgentCardSigner

signer = AgentCardSigner()
signed_card = signer.sign_agent_card("agent-card.json")

Verifying a Signed Agent Card

from sigstore_a2a import AgentCardVerifier

verifier = AgentCardVerifier(
    identity="user@example.com",
    oidc_issuer="https://accounts.google.com"
)
result = verifier.verify_file("signed-agent-card.json")

if result.valid:
    print("Signature verified!")

CLI Usage

# Sign an Agent Card
sigstore-a2a sign agent-card.json --output signed-card.json

# Verify a signed Agent Card
sigstore-a2a verify signed-card.json --identity-provider https://token.actions.githubusercontent.com

# Serve a signed Agent Card
sigstore-a2a serve signed-card.json --port 8080

Installation

pip install sigstore-a2a

Or with uv:

uv add sigstore-a2a

Next Steps

• Getting Started - Detailed setup and usage guide
• CLI Reference - Complete CLI documentation
• API Reference - Python API documentation