Cryptographic proof of origin for every dependency—no AI, no trust required
CredentialChain uses libsodium and cosign to generate immutable Certificate of Origin documents for npm and PyPI packages, validating GPG signatures and git commit hashes against SLSA framework standards. Inspired by Redox OS's strict no-LLM policy, we provide cryptographic supply chain verification that enterprise DevOps teams can audit without relying on AI-generated attestations—addressing the structural problem of compromised packages like the recent hacked Emacs package incident.
Key Benefits:
- Cryptographic validation using minisign and cosign against git commit hashes—no AI inference, only mathematical proof
- Automated Certificate of Origin generation for every dependency with PostgreSQL-backed immutable audit trails meeting compliance requirements
- Real-time supply chain dashboard showing provenance chains from source to deployment, catching compromised packages before production
MVP Scope: MVP validates npm/PyPI packages against GPG signatures and git commit hashes, generates signed Certificate of Origin documents, stores audit trail in PostgreSQL, and provides basic dashboard for viewing package provenance chains without AI-based verification.
Tech Stack: libsodium, minisign, cosign, SLSA framework, PostgreSQL, React, Node.js
Components:
- Dependency Graph Parser
- Cryptographic Origin Validator
- Certificate of Origin Generator
- Immutable Audit Trail
- Supply Chain Dashboard
Quality assessment: Addresses a genuine supply chain security problem with concrete cryptographic tooling (libsodium, cosign, SLSA) and clear MVP scope, but lacks originality—supply chain verification is well-trodden territory (Sigstore, in-toto exist)—and the pitch is incomplete/truncated, making it hard to assess full market positioning and technical depth.
Comments
Sign in to join the conversation.
No comments yet. Be the first to share your thoughts.