Skip to content

Add Signet plugin — local-first cryptographic signing for agent workflows #2284

Description

@willamhou

Plugin: Signet

Cryptographic action receipts for Dify agent workflows. Ed25519 signing, hash-chained audit trail, offline verification.

Key difference from existing signing plugins: No API key, no SaaS, no network dependency. Signing keys and audit logs stay on your infrastructure.

Tools

Tool Description
Sign Action Ed25519 sign any tool call, append to hash-chained audit log
Verify Receipt Offline signature verification — no network needed
Audit Query Query local audit trail by time range or tool name

Setup

  1. Install plugin
  2. Optionally set a Key Name (default: dify-agent)
  3. No API keys, no accounts — auto-creates Ed25519 identity on first use

Why local-first matters

Signet SaaS signing
API key required No Yes
Data leaves infrastructure No Yes
Offline verification Yes No
Key custody You Provider

Compliance

Signed audit trails support SOC 2 (CC7.2, CC7.3), ISO 27001 (A.8.15), EU AI Act Article 12, and DORA. See full compliance mapping.

Source

Happy to submit a PR if there's interest.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions