Use Case

Cryptographic Provenance for
Software Supply Chains

When a software release reaches your infrastructure, how do you know it is authentic? Diogenes provides cryptographic attestation chains for releases, security reviews, audits, and dependency trust -- so you can verify every link in the supply chain.

There is no signing authority. The platform is fully open -- the community defines the trust network through endorsements, and you set your own risk tolerance. You decide who to trust, how far trust extends, and what thresholds matter for your environment.

The Problem

Software Supply Chain Attacks Are Accelerating

From SolarWinds to xz-utils, supply chain attacks exploit the gap between who you think signed a release and who actually did. Package registries rely on account credentials, not cryptographic identity. Security audits produce reports that sit in email threads with no verifiable chain of custody. And when a maintainer's key is compromised, there is no decentralized mechanism to alert downstream consumers.

  • Release signatures are tied to registry accounts, not cryptographic identity with endorsement chains.
  • Security reviews and audits lack verifiable provenance -- anyone can claim a review happened.
  • Key compromise has no decentralized alert mechanism -- endorsers cannot warn downstream consumers.
  • Dependency trust is binary (installed or not) with no configurable policies for transitive trust.

Supply Chain Attestation Flow

Maintainer signs release
x-oss:release binds identity to artifact hash (OS-06)
Independent security review
x-oss:security-review attests review with optional notes (OS-07)
Third-party audit attestation
x-oss:audit binds formal audit report to release (OS-08)
Downstream verification
Consumers verify release, reviews, and audits against their trust network
Attestation Types

Purpose-Built Attestations for Every Stage of the Supply Chain

Release Attestation

Maintainers sign releases with their cryptographic identity, binding artifact hashes to authorized release signers verified through institutional endorsement graphs.

x-oss:release

Security Review

Independent reviewers attest that a release has been examined. Reviewers are trusted through their own endorsement graph -- no maintainer authorization required.

x-oss:security-review

Formal Audit

Third-party auditors bind formal audit reports to specific releases, with content-hashed attachments ensuring the audit report itself cannot be altered after the fact.

x-oss:audit

Deprecation Notice

Flag releases or entire projects as deprecated with structured migration guidance. Authorized by maintainers or project entity keys.

x-oss:deprecation
How Diogenes Helps

Verifiable Trust at Every Layer

Endorser Revocation Alerts

When a maintainer's key is compromised and they cannot self-revoke, endorsers of that key can publish advisory revocation alerts on the transparency log. Multiple endorser alerts increase the severity signal for downstream consumers.

Dependency Trust Policies

Configure how trust propagates through transitive dependencies: explicit-only, weighted inheritance, binary inheritance, or institution-only. Set depth limits and minimum scores to prevent unbounded trust chains.

Structured Audit Export

Export complete audit trails in JSON or CSV for regulatory submission or incident response. Filter by date range, signer, or document -- with full attestation history, key lifecycle events, and endorsement status.

More Than a Signature

How Diogenes Compares

Signing a release proves someone held a key. Diogenes proves who they are, who vouches for them, whether independent reviewers examined the code, and how all of that connects to your trust network.

Capability Sigstore / Cosign GPG Release Signing Diogenes
Identity model OIDC (email/GitHub account) Keyserver (ad hoc trust) Community endorsement graphs, no CA
Security review attestation Not supported Not supported x-oss:security-review with independent reviewer trust
Audit binding Not supported Not supported x-oss:audit with content-hashed report attachments
Key compromise response Fulcio short-lived certs Revocation certificate Endorser revocation alerts (decentralized)
Dependency trust Binary (signed or not) Not supported Configurable policies with transitive inheritance
Trust evaluation Signature valid or not Key trusted or not Trust score from your network, your thresholds
A Trust Landscape, Not a Gatekeeper

Stop Hoping. Start Evaluating.

Today, installing a package is an act of blind faith. You trust that the registry account was not compromised, that the CI pipeline was not tampered with, and that someone -- somewhere -- actually reviewed the code. There is no way to see the full picture.

Diogenes creates a landscape where trust can be evaluated, not assumed. Every release carries a visible chain of attestations: who signed it, who reviewed it, who audited it, and how those people connect to your own trust network. Instead of closing your eyes and hoping, you get a concrete trust score grounded in real cryptographic evidence and real human endorsements.

Visible Provenance

Every attestation, endorsement, and review is publicly recorded on the transparency log. Nothing is hidden behind a vendor dashboard.

Your Risk Tolerance

Configure trust policies that match your security posture. Require institutional endorsements, set minimum trust scores, or restrict to explicit-only dependency trust.

Community-Defined Trust

Trust is not dictated by a central authority. The community builds the endorsement graph, and each consumer evaluates it through their own lens.

Ready to secure your software supply chain?

Read the Documentation Try Verification