Prove a document is authentic —
without ever sharing the file.
Sign a document by its hash and get a standard detached PGP signature. ASTIS never sees the document — and anyone can verify it with gpg or Cosign, with no ASTIS account.
Operational access shouldn't mean document access.
Where signing by hash matters
Anywhere a record must be provably authentic, but the file itself should not be handed to a third party.
Software releases & artifacts
Sign every build; users verify with gpg or Cosign — no ASTIS account, no portal login.
Contracts & signed records
Prove a contract is the executed version, byte-for-byte unaltered, long after it was signed.
Legal & privileged documents
Demonstrate authenticity to a client, counterparty, or court — without ever disclosing the file.
Audit & compliance evidence
Signatures carry notations linked to your audit trail, so records map to who did what, when.
Supply-chain & SBOM
Sign and verify artifacts across vendors and pipelines; trust travels with the signature, not the file.
Regulatory & financial filings
Provable integrity of submitted records, verifiable by any party with standard tools.
How it works
Hash it locally
You compute the SHA-256 and send only the 32-byte digest. The document never leaves your boundary.
ASTIS signs it
Signed with your org key, returning a standard detached PGP signature — ASTIS never sees the file.
Anyone verifies
Verify with gpg or Cosign, no ASTIS account. The signature embeds notations (fingerprint, audit_id).
Don't take it on faith
We sign our own releases with this exact API — the outputs are verbatim from live calls, and you can verify them yourself.
The signing API is available. Internal dogfood + independently verifiable artifacts; full architecture reviewable under NDA.
Sign by hash. Anyone verifies it.
Let's scope signing for your releases, records, or compliance evidence.