Signed workflow artifacts

Signed workflow artifacts

A workflow artifact isn't just code. It's a self-contained, signed bundle that proves what it is, what it does, and who built it. Customers can verify the signature themselves; the runtime does it automatically.

What gets signed

The runtime signs the entire artifact at build time: the manifest, the workflow contents, and any bundled dependencies. The signature covers the artifact's contents, so modifying anything — even a comment — invalidates it.

Signing keys

You can use our hosted signing service (keys managed by us, audit logs available to you), or you can manage your own keys. Either way, the private signing key never leaves the issuer. Customers get the public key, which they use to verify.

Rotation

Keys have a default rotation policy of 90 days. You can configure shorter or longer. Old signatures remain verifiable against old keys, so customers aren't forced to update packages just because keys rotated.

Verification at runtime

Every time a workflow artifact is loaded, the runtime verifies its signature against a configured trust store. If verification fails, the workflow doesn't run. If the artifact's contents don't match the signature, the workflow doesn't run. There's no skip verification flag.

Customer audit

Customers can run opscotch verify ./my-package.ops to confirm an artifact is signed by the keys they trust. The output is human-readable and machine-parseable, suitable for including in audit logs or compliance reports.

The result: workflows you ship can be verified, audited, and trusted by both you and your customers. If the artifact has been tampered with, the runtime refuses to run it — and so do your customers.

Want to see how this works for your workflow?

Talk to an engineerTry the extended trial