Sign in GitHub ActionsInstall CLI/API

seal

A portable proof primitive for signed artifacts.

Seal defines a minimal contract for producing versioned JSON proofs for files and build outputs. The proof is self-contained, portable, and verifiable without a backend.

Sign in GitHub ActionsInstall CLI/API

Seal emits a self-contained proof file. It does not require a backend service to verify.

The primitive is the product. The artifact is the output.

proof.json

Checking proof
Subjectdist-manifest.json
AlgorithmEd25519
CreatedUnavailable
HashUnavailable
SignerUnavailable
SignatureUnavailable

Fetching /proof.json and verifying it against the published artifact.

View proof.json

The Primitive

The primitive

Seal defines a minimal proof contract. It hashes a subject deterministically, signs that hash locally, and emits a versioned JSON proof artifact. It does not define storage, hosting, or identity lifecycle. It emits a file.

Deterministic hashing

The same manifest produces the same subject hash.

Local signing

Signing happens where your signer already exists.

Portable artifact

The output is a proof file that can move between environments unchanged.

Versioned format

The proof format is explicit and stable across implementations.

The Proof Format

The proof format

A proof is plain JSON. It can be stored, published, inspected, and verified without a backend.

proof.json
Checking proof
{
  "type": "seal-proof",
  "version": "2",
  "status": "loading"
}

The proof is self-describing and versioned.

Fetching /proof.json and verifying it against the published artifact.

Surfaces

One proof model. Multiple surfaces.

Seal uses one proof contract across every implementation surface.

GitHub Action

Sign artifacts in CI and publish a proof as part of the workflow output.

CLI

Generate proofs and verify them locally from the terminal.

JavaScript library

Integrate the primitive directly in your own runtime. The CLI and Action are built on the same library.

Example Use

Publish an artifact with its proof

Build an artifact. Hash it deterministically. Sign the hash locally. Publish the proof alongside the artifact.

  1. 1

    Build an artifact

    Produce a release file, dataset, document, build output, or generated archive.

  2. 2

    Hash it deterministically

    Compute the subject hash from the artifact bytes.

  3. 3

    Sign it

    Sign the hash locally and emit a proof file.

  4. 4

    Publish the proof alongside it

    Ship the artifact and proof together so the proof can be verified later.

The artifact stays the same. The proof travels with it.

For Developers

For developers

The JavaScript library is the reference implementation of the primitive. The CLI and GitHub Action are thin surfaces on top of the same contract.

JavaScript library

GitHub Action

CLI

JavaScript

Use the JavaScript API directly

import {
  createSealProof,
  verifySealProofAgainstBytes
} from "@ternent/seal-cli/proof"

const proof = await createSealProof({
  signer: { identity },
  subject: {
    kind: "artifact",
    path: "artifact.tar.gz",
    hash: "sha256:..."
  }
})

const verified = await verifySealProofAgainstBytes(proof, artifactBytes)

Integrate the library directly when you need control over signing or verification flows. Keep the proof format unchanged across environments.

View JavaScript API

Ready

Start in CI. Keep the same proof everywhere.

Sign in CI, verify locally, integrate directly via the JavaScript library.

Sign in GitHub ActionsInstall CLI/API
ternent.dev

© 2026.