Why Provenance Without Intent Is Not Enough
Introduction: The Rise of Supply-Chain Frameworks
Sigstore, in-toto, and SLSA represent real progress in supply-chain security.
They provide:
- Artifact signing
- Provenance metadata
- Policy enforcement
- Reproducible build standards
These frameworks close many historical gaps.
But they share a common blind spot:
They authenticate artifacts and workflows.
They do not verify human intent.
This article examines where modern supply-chain frameworks stop — and why intent-verification must sit above them as a governance layer.
What These Frameworks Solve Well
Sigstore
- Makes signing accessible
- Eliminates long-lived keys
- Anchors signatures in transparency logs
in-toto
- Enforces workflow policy
- Cryptographically links pipeline steps
- Tracks who performed each stage
SLSA
- Defines maturity levels
- Enforces build isolation
- Encourages reproducibility
These frameworks answer:
Did the pipeline follow policy?
They do not answer:
Did a human consciously approve this specific deployment right now?
The Shared Trust Domain Problem
All three frameworks perform signing and attestation within the same execution environment as the build.
This creates a shared trust domain.
Once that domain is compromised, the attacker can:
- Sign malicious artifacts
- Produce valid provenance
- Satisfy policy checks
The pipeline verifies everything correctly.
And yet—
The trust model fails silently.
Provenance Without Intent
Provenance answers:
How was this artifact produced?
It does not answer:
Was this artifact intended by a human?
Attackers exploit this gap by injecting malicious behavior into otherwise policy-compliant workflows.
The pipeline remains compliant.
The outcome is malicious.
Why Intent Must Be a First-Class Primitive
High-risk actions — especially production deployments — require stronger guarantees than routine pipeline steps.
Intent-verification introduces:
- Per-action human approval
- Hardware-backed cryptographic proof
- Physical separation of approval from execution
This creates a new layer:
Human-bound authorization, not just system-level validation
Composability, Not Replacement
Intent-verification is not a replacement for existing frameworks.
It is a governance layer on top of them.
It should:
- Feed into Sigstore signing
- Attach to in-toto layouts
- Gate SLSA Level 3+ builds
Resulting Security Stack
- Pipeline correctness
- Artifact provenance
- Human intent verification
This layered model addresses both:
- Machine trust
- Human trust
Strengthening Existing Systems
Sigstore becomes stronger when:
- Signing is performed from isolated approval terminals
- Not from potentially compromised developer machines
in-toto becomes stronger when:
- Workflow steps are gated by explicit human intent
SLSA becomes stronger when:
- High maturity levels include intent-verification requirements
The Core Problem
Modern frameworks assume:
If the pipeline is correct, the outcome is trustworthy.
This assumption fails when:
- The pipeline environment is compromised
- The operator is unaware
- The system cannot distinguish intent from execution
Conclusion: Frameworks Are Necessary but Insufficient
Sigstore, in-toto, and SLSA dramatically improve supply-chain hygiene.
But hygiene is not intent.
Until human intent is cryptographically bound to high-risk actions, compliant pipelines will continue to ship malicious code under real attacks.
Security architecture must extend beyond machines.
It must include:
The human decision layer — explicitly, verifiably, and securely.
Top comments (0)