Protects against silent out-of-band commit modification, signature stripping in transit, and unrecorded agent contribution. Once signed, any downstream tampering of the commit message, author, or canonical schema metadata will break the signature verification offline and in CI.
Security
Threat model
Attestation limits and L1 software-key assumptions.
An emulated software key (L1) proves possession of the private key file, not the physical identity of the actor. A compromised developer machine, a malicious local agent, or an attacker with write access to the filesystem can sign envelopes that verify perfectly. In L1 mode, actor binding is advisory and relies on workstation access controls.
Organizations establish trust by distributing public keys to verifiers (e.g., CI/CD runners using the --trusted-keys parameter). Revocation, multi-maintainer key rotation, and transparency-log integrations are active areas of protocol development. Matrix Scroll commits represent advisory self-attestations until external trust anchors or transparency logs are integrated.