Getting Started
SourceSeal provides blockchain-backed attestations for software supply chain security. This guide walks you through installing the CLI and creating your first signed attestation.
Prerequisites
- Go 1.22+— Required to install and build SourceSeal. Download from go.dev/dl.
- A running SourceSeal API server— In development mode, no external services are required. See the Deployment Guide for production setup.
Installation
Install the SourceSeal CLI using go install:
go install github.com/sourceseal/sourceseal/cmd/sourceseal@latestAlternatively, clone the repository and build from source:
git clone https://github.com/sourceseal/sourceseal.git
cd sourceseal
make build
# Binaries are placed in ./bin/
ls bin/
# sourceseal (CLI)
# sourceseal-server (API server)First Steps
1. Initialize SourceSeal
The init command generates an Ed25519 key pair and creates a configuration file at ~/.sourceseal/.
sourceseal initThis creates:
- An Ed25519 private/public key pair for signing
- A
config.jsonpointing tohttp://localhost:8080
2. Sign an Artifact
Create a cryptographic attestation for any software artifact. SourceSeal computes a SHA-256 hash, signs it with your Ed25519 key, and submits the attestation to the API server for blockchain anchoring.
sourceseal sign mypackage.tgzYou can override the automatically detected ecosystem or use a specific key:
sourceseal sign mypackage.tgz --ecosystem npm --key ~/.sourceseal/keys/mykey.key3. Verify an Artifact
Verify that an artifact matches a blockchain-anchored attestation. This confirms the artifact has not been tampered with since signing.
sourceseal verify mypackage.tgzFor offline verification against a local attestation file:
sourceseal verify mypackage.tgz --offline --attestation attestation.jsonNext Steps
- CLI Reference — Full command documentation with all flags and examples
- API Reference — REST API endpoints for attestation management
- Architecture — How the system components fit together
- Security Model — Cryptographic design and threat model