ASTIS Sign & Verify

Prove a document is authentic — without ever sharing the file.

Sign a document by its hash and get a standard detached PGP signature. ASTIS never sees the document — and anyone can verify it with gpg or Cosign, with no ASTIS account.

Operational access shouldn't mean document access.

Where signing by hash matters

Anywhere a record must be provably authentic, but the file itself should not be handed to a third party.

Software releases & artifacts

Sign every build; users verify with gpg or Cosign — no ASTIS account, no portal login.

Contracts & signed records

Prove a contract is the executed version, byte-for-byte unaltered, long after it was signed.

Legal & privileged documents

Demonstrate authenticity to a client, counterparty, or court — without ever disclosing the file.

Audit & compliance evidence

Signatures carry notations linked to your audit trail, so records map to who did what, when.

Supply-chain & SBOM

Sign and verify artifacts across vendors and pipelines; trust travels with the signature, not the file.

Regulatory & financial filings

Provable integrity of submitted records, verifiable by any party with standard tools.

How it works

1

Hash it locally

You compute the SHA-256 and send only the 32-byte digest. The document never leaves your boundary.

2

ASTIS signs it

Signed with your org key, returning a standard detached PGP signature — ASTIS never sees the file.

3

Anyone verifies

Verify with gpg or Cosign, no ASTIS account. The signature embeds notations (fingerprint, audit_id).

Don't take it on faith

We sign our own releases with this exact API — the outputs are verbatim from live calls, and you can verify them yourself.

14/14
release builds signed via /v1/sign and independently gpg-verified Good
32
bytes cross the ASTIS edge per signature — the SHA-256, never the file
0
accounts needed to verify — pass the public cert and check it yourself
OpenPGP
standard detached signatures — no proprietary format, no lock-in

The signing API is available. Internal dogfood + independently verifiable artifacts; full architecture reviewable under NDA.

Sign by hash. Anyone verifies it.

Let's scope signing for your releases, records, or compliance evidence.