wsc
| Crates.io | wsc |
| lib.rs | wsc |
| version | 0.4.1 |
| created_at | 2026-01-08 18:15:48.525936+00 |
| updated_at | 2026-01-08 18:15:48.525936+00 |
| description | WebAssembly Signature Component - WASM signing and verification toolkit |
| homepage | https://github.com/pulseengine/wsc |
| repository | https://github.com/pulseengine/wsc |
| max_upload_size | |
| id | 2030840 |
| size | 945,447 |
Ralf Anton Beier (avrabe)
documentation
README
wsc - WebAssembly Signature Component
Sign in the cloud. Verify anywhere.
A tool and library for signing WebAssembly modules with embedded signatures that can be verified completely offline - perfect for embedded systems, edge devices, and air-gapped environments.
Why wsc?
Unlike OCI registry signatures (Cosign) that require network access at verification time, wsc embeds signatures directly in the WASM module. This enables:
| Scenario | Cosign/OCI | wsc |
|---|---|---|
| IoT device with intermittent WiFi | Needs connectivity | Verify offline |
| Industrial controller | Requires registry access | Signature embedded |
| Edge CDN node | Registry latency | Local verification |
| Air-gapped network | Cannot verify | Works offline |
About
wsc is an enhanced WebAssembly signing toolkit built on the foundation of wasmsign2 by Frank Denis. While maintaining compatibility with the WebAssembly modules signatures proposal, wsc adds production-oriented features:
- Offline-First Verification: Embedded signatures survive distribution - no network required at runtime
- Keyless Signing: Full Sigstore/Fulcio/Rekor integration with OIDC authentication (GitHub Actions, Google Cloud, GitLab CI)
- Keyless Verification: Verify Sigstore signatures offline with certificate chain and SET validation
- Enhanced Rekor Verification: Checkpoint-based verification with security hardening
- Bazel Integration: Full BUILD and MODULE.bazel support for hermetic builds
- WIT Component Model: Both library (
wsc-component.wasm) and CLI (wsc-cli.wasm) builds
About This Project
wsc is based on wasmsign2 by Frank Denis, a reference implementation of the WebAssembly modules signatures proposal.
We plan to add additional features to support production use cases, including:
- Enhanced Rekor verification with checkpoint-based proofs
- Bazel build system integration for hermetic builds
- WebAssembly Component Model (WIT) support
- Expanded keyless signing capabilities
- Additional security hardening and validation
MIT License - Original wasmsign2 Copyright (c) 2024 Frank Denis
WASM Signatures
Unlike typical desktop and mobile applications, WebAssembly binaries do not embed any kind of digital signatures to verify that they come from a trusted source, and haven't been tampered with.
wsc takes an existing WebAssembly module, computes a signature for its content, and stores the signature in a custom section.
The resulting binary remains a standalone, valid WebAssembly module, but signatures can be verified prior to executing it.
wsc implements the WebAssembly modules signatures proposal. The file format is documented in the WebAssembly tool conventions repository.
The proposal, and this implementation, support domain-specific features such as:
- The ability to have multiple signatures for a single module, with a compact representation
- The ability to sign a module which was already signed with different keys
- The ability to extend an existing module with additional custom sections, without invalidating existing signatures
- The ability to verify multiple subsets of a module's sections with a single signature
- The ability to turn an embedded signature into a detached one, and the other way round
Installation
wsc is a Rust crate that can be used in other applications.
It is also a CLI tool to perform common operations, whose usage is summarized below.
Using Cargo
cargo install wsc-cli
From Source
git clone https://github.com/pulseengine/wsc.git
cd wsc
cargo build --release
Using Bazel
bazel build //src/cli:wsc
Usage
Keyless Signing (Sigstore)
wsc supports keyless signing using Sigstore - sign in CI, verify anywhere:
# Sign in GitHub Actions (or any OIDC-enabled CI)
wsc sign --keyless -i module.wasm -o signed.wasm
This will:
- Authenticate via OIDC (GitHub Actions, Google Cloud, GitLab CI)
- Generate an ephemeral key pair
- Obtain a certificate from Fulcio
- Sign the module
- Upload signature to Rekor transparency log
- Embed the certificate and Rekor proof in the module
Keyless Verification (Offline)
Verify a keyless-signed module - no network required:
# Basic verification (offline)
wsc verify --keyless -i signed.wasm
# With identity constraints
wsc verify --keyless -i signed.wasm \
--cert-identity "user@example.com" \
--cert-oidc-issuer "https://token.actions.githubusercontent.com"
Verification performs:
- Certificate chain validation against embedded Fulcio roots
- Rekor SET (Signed Entry Timestamp) verification
- Identity and issuer validation (optional)
Traditional Key-Based Signing
Creating a Key Pair
wsc keygen -k secret.key -K public.key
Signing a Module
wsc sign -k secret.key -i module.wasm -o signed.wasm
Verifying a Module
wsc verify -K public.key -i signed.wasm
Inspecting a Module
wsc show -i module.wasm
Detaching/Attaching Signatures
# Detach signature to a file
wsc detach -i signed.wasm -o unsigned.wasm -S signature.bin
# Attach signature from a file
wsc attach -i unsigned.wasm -o signed.wasm -S signature.bin
Partial Verification
wsc can verify signatures for specific custom sections:
wsc verify -K public.key -i signed.wasm --split "custom_section_regex"
OpenSSH Keys Support
wsc supports OpenSSH-formatted Ed25519 keys:
# Generate SSH key
ssh-keygen -t ed25519 -f key
# Sign module (use --ssh flag)
wsc sign -k key --ssh -i module.wasm -o signed.wasm
# Verify module
wsc verify -K key.pub --ssh -i signed.wasm
GitHub Integration
Verify using a GitHub user's SSH public keys:
wsc verify --from-github username -i signed.wasm
Enhanced Features
Rekor Verification
wsc includes comprehensive Rekor inclusion proof verification:
- ✅ SET (Signed Entry Timestamp) verification
- ✅ Checkpoint-based verification with cryptographic tree state proofs
- ✅ Security hardening: Key fingerprint validation, origin validation, cross-shard attack prevention
- ✅ Defense-in-depth: 5 layers of security validation
See docs/checkpoint_security_audit.md for details.
Bazel Integration
Full Bazel support for hermetic builds:
# BUILD.bazel
load("@rules_rust//rust:defs.bzl", "rust_binary")
rust_binary(
name = "wsc",
srcs = ["//src/cli:wsc"],
)
See MODULE.bazel for dependency configuration.
WebAssembly Component Model
Build both library and CLI as WebAssembly components:
# Build WIT component library
bazel build //src/component:wsc-component.wasm
# Build WASI CLI binary
bazel build //src/cli:wsc-cli.wasm
Documentation
- Checkpoint Implementation - Checkpoint-based verification details
- Security Audit - Security vulnerabilities found and fixed
- Checkpoint Format - Complete format specification
- sigstore-rs Comparison - Comparison with official Rust implementation
- Security Documentation - Comprehensive security model and operational security
- Keyless Signing - Keyless signing with Sigstore/Fulcio
- Testing Guide - Testing procedures and guidelines
Development Status
wsc is under active development. Core signing/verification and Rekor validation are functional. See open issues for planned enhancements.
License
MIT License - see LICENSE file for details.
Acknowledgments
- Frank Denis - Original wasmsign2 implementation
- Sigstore Project - Keyless signing infrastructure
- WebAssembly Community - Signatures proposal and specification