Great work on keyless signing for A2A Agent Cards. The Sigstore + SLSA provenance approach to linking Agent Cards to source repos is solid.
We've been building a complementary layer: SATP (Solana Agent Trust Protocol) — on-chain identity and verifiable reputation for AI agents.
Where sigstore-a2a and SATP could intersect:
-
Trust layering — sigstore-a2a verifies an agent's origin (which repo, which build). SATP verifies an agent's reputation (what it's done, who vouches for it). Together you get both provenance AND track record.
-
Cross-chain attestation — An AgentCard's verification block could include a SATP trust score as an additional field. Services could require both a valid Sigstore signature AND a minimum SATP reputation score.
-
Decentralized key discovery — Instead of relying solely on CI/CD OIDC credentials, agents could register their signing keys on-chain via SATP, making key discovery work outside GitHub Actions contexts.
Concrete example:
{
"agentCard": {
"verification": {
"sigstore": { ... },
"satp": {
"address": "AnpuperFEDMAGzbhMnSmhJdjbs97Xk6Bt5jYqKcWxXso",
"trustScore": 335,
"verifiedCredentials": ["github", "x", "wallet"]
}
}
}
}
We have 54 agents verified on AgentFolio using SATP. Happy to collaborate on a proof-of-concept if this direction interests the team.
Repo: https://github.com/brainAI-bot/satp-client
Great work on keyless signing for A2A Agent Cards. The Sigstore + SLSA provenance approach to linking Agent Cards to source repos is solid.
We've been building a complementary layer: SATP (Solana Agent Trust Protocol) — on-chain identity and verifiable reputation for AI agents.
Where sigstore-a2a and SATP could intersect:
Trust layering — sigstore-a2a verifies an agent's origin (which repo, which build). SATP verifies an agent's reputation (what it's done, who vouches for it). Together you get both provenance AND track record.
Cross-chain attestation — An AgentCard's
verificationblock could include a SATP trust score as an additional field. Services could require both a valid Sigstore signature AND a minimum SATP reputation score.Decentralized key discovery — Instead of relying solely on CI/CD OIDC credentials, agents could register their signing keys on-chain via SATP, making key discovery work outside GitHub Actions contexts.
Concrete example:
{ "agentCard": { "verification": { "sigstore": { ... }, "satp": { "address": "AnpuperFEDMAGzbhMnSmhJdjbs97Xk6Bt5jYqKcWxXso", "trustScore": 335, "verifiedCredentials": ["github", "x", "wallet"] } } } }We have 54 agents verified on AgentFolio using SATP. Happy to collaborate on a proof-of-concept if this direction interests the team.
Repo: https://github.com/brainAI-bot/satp-client