As AI agents become increasingly autonomous and interconnected, establishing trust and provenance in agent-to-agent interactions has become paramount. Today, I'm excited to share my work on bridging several critical open source technologies: Sigstore's cryptographic signing infrastructure, SLSA and In-Toto provenance and the emerging Agent2Agent (A2A) protocol.
The Challenge: Trust in a Multi-Agent World
The AI landscape is evolving rapidly. With Google's recent announcement of the Agent2Agent protocol - now being donated to the Linux Foundation with support from over 50 major technology partners, we're entering an era where AI agents from different vendors, built on different frameworks, will need to communicate and collaborate seamlessly.
But there's a critical question: How do we ensure these agents are who they claim to be?
In a world where agents can discover each other's capabilities through "Agent Cards" (JSON documents describing their skills and interfaces), we need a way to cryptographically verify these claims - claims such as who built the agent, from what code repository, and through which CI/CD workflow. Without this verification, malicious actors could deploy compromised agents or misrepresent an agent's origin and build process. That's where the sigstore-a2a project comes in.
sigstore-a2a: Cryptographic Supply Chain Provenance for AI Agents
The sigstore-a2a project implements a provenance generator that brings Sigstore's battle-tested signing infrastructure to the Agent2Agent ecosystem. Here's what it accomplishes:
Key Features
Agent Card Signing: Every Agent Card can be cryptographically signed using Sigstore's keyless signing infrastructure. This means agents can prove their identity without managing long-lived cryptographic keys.
Provenance Verification: Other agents can verify the authenticity and integrity of Agent Cards before establishing communication. This prevents impersonation attacks and ensures you're talking to the agent you think you are.
Transparency Log Integration: All signatures are recorded in Sigstore's immutable transparency log, creating an auditable trail of agent identities and capabilities over time.
Supply Chain Security for AI: Just as Sigstore revolutionized software supply chain security, this integration brings similar guarantees to the AI agent ecosystem.
How It Works
The implementation follows a straightforward workflow, within GitHub using ambient OIDC credentials and sigstore Fulcio, Rekor.
Agent Card Generation: An agent creates its standard A2A-compliant Agent Card describing its capabilities, skills, and interface endpoints.
Signing Process: The sigstore-a2a tool signs the Agent Card using Sigstore's infrastructure, which includes a full Sigstore Bundle.
- OIDC-based identity verification
- Short-lived certificate generation
- Transparency log entry creation
Distribution: The signed Agent Card can then be distributed through standard A2A discovery mechanisms of a HTTPS endpoint, but now with cryptographic proof of origin take the Agent back to the commit SHA of the code it was built from.
Verification: Any agent receiving the card can verify its authenticity using Sigstore's verification tools, ensuring the card and its code hasn't been tampered with and comes from a legitimate source.
Integration with AgentUp: Enterprise-bound Agent Development
This provenance system will integrate seamlessly with AgentUp, the framework for building enterprise-grade AI agents. AgentUp brings several critical capabilities to the table:
AgentUp's Enterprise Features
Security by Design: Fine-grained scope-based access control ensures plugins and MCP servers only access what they need. Built-in authentication supports OAuth2, JWT, and API keys.
Configuration Over Code: Complex agent behaviours are defined through version-controlled YAML configuration—no boilerplate, no framework internals to learn.
A2A Native: AgentUp is built on the A2A specification from the ground up, ensuring full protocol compliance and interoperability.
Plugin Ecosystem: Extend functionality through community plugins that automatically inherit AgentUp's security and operational features.
When combined with sigstore-a2a, AgentUp agents can then:
- Automatically sign their Agent Cards during deployment
- Verify the provenance of other agents before establishing communication Maintain an audit trail of all agent interactions
- Enforce policies based on agent identity and trust levels
Real-World Applications
This technology stack enables several powerful use cases:
Enterprise Agent Networks: Large organizations can deploy fleets of agents with cryptographic proof of origin, ensuring agents only communicate with verified peers and not imposters.
Multi-Vendor Collaboration: When agents from different vendors need to collaborate (e.g., a Salesforce agent working with an SAP agent), cryptographic verification ensures secure traceability.
Regulated Industries: Healthcare, finance, and government sectors can maintain compliance by ensuring all agent communications are authenticated and auditable.
Supply Chain Orchestration: Complex multi-party workflows can be orchestrated with confidence, knowing each participating agent is verified.
The Road Ahead
As the A2A protocol moves under the Linux Foundation's stewardship, establishing trust and security standards early is crucial. The sigstore-a2a project represents a first step toward a more secure agent ecosystem.
Getting Started
If you're building agents that need enterprise-grade security and verifiable identity:
Check out sigstore-a2a: The project is open source and available on GitHub
Try AgentUp: where you can build fully capable agents in just minutes, with security, middleware and multi modal capabilities, out of the box.
Note, both projects are still in alpha and under going a lot of change!, but they will give you an view of where things may be headed. Try it out and let me know and I welcome contributions, or give the repos a star , not for vanity, but to help others to find the work!
As we build toward an autonomous agent economy, establishing trust isn't optional - it's fundamental. By combining Sigstore's proven cryptographic infrastructure with the emerging A2A standard, we're laying the groundwork for secure, verifiable agent interactions at scale.
The future of AI isn't just about smarter agents—it's about agents that can trust each other. With sigstore-a2a and AgentUp, that future is here today.
Want to learn more? Check out the sigstore-a2a repository and AgentUp framework. If you're building in the agent space, I'd love to hear from you!
Top comments (0)