Tamper with the binary. The seal breaks.
Wiki |
Quick Start |
Use Cases |
Snippets |
CLI Reference |
Security
Every dependency you install is a trust decision you didn't make. Someone compiled that binary. You hope it matches the source. You have no proof.
Sealed fixes that. One command:
sealed install requestsWhat just happened:
- Resolved every transitive dependency
- Downloaded source from PyPI (not wheels, actual source)
- Scanned source for dangerous patterns, CVEs, and install-time code execution
- Measured the build environment (Python, compiler, OS, CPU, env vars)
- Built each from source
- Signed provenance chains with Ed25519
- Checked trust policy (TOFU key pinning, revocation, multi-party)
- Logged to append-only transparency chain
- Installed verified artifacts
If anyone tampered with anything at any step, the seal doesn't verify. You know before the code runs.
pip install alia-sealedNo config. No setup. First run generates your signing key (encrypted, or stored in OS keychain).
# Install with full supply chain attestation
sealed install requests
# Install specific version, skip dep sealing
sealed install flask --version 3.1.0 --no-deps
# Build and seal without installing
sealed build numpy
# Verify a seal
sealed verify ~/.sealed/store/requests-2.32.3/seal.json \
--artifact ~/.sealed/store/requests-2.32.3/requests-2.32.3-py3-none-any.whl
# Inspect provenance chain
sealed inspect ~/.sealed/store/requests-2.32.3/chain.json
# List all sealed packages
sealed audit# Behavioral sandbox: monitor what a package does at import
sealed sandbox suspicious-package
# Consensus build: build 3 times, check agreement
sealed consensus requests --num-builds 3
# Reproducibility check: build twice, compare
sealed reproduce flask
# Runtime integrity: check for post-install tampering
sealed watchdog check
# Trust graph: see your dependency tree with trust scores
sealed trust requests# Export/import seals
sealed registry export -o team-seals.json
sealed registry import -i team-seals.json
# Export/import key pins
sealed registry export-pins -o pins.json
sealed registry import-pins -i pins.json
# Revoke a compromised key
sealed registry revoke --key <hex-public-key> --reason "compromised"# Require 2+ independent signers
sealed policy set --min-signatures 2
# Require TPM attestation
sealed policy set --require-attestation tpm2
# Disable TOFU (manual key pinning only)
sealed policy set --tofu false| Tool | What It Does | Sealed's Angle |
|---|---|---|
| Sigstore | Keyless signing via OIDC, Rekor transparency log | Local-first. No external services. Works offline. |
| in-toto | Multi-party supply chain layout verification | Single command. No layout files. |
| SLSA | Framework for supply chain security levels | SLSA is a spec. Sealed is a tool. |
| TUF | Secure software update delivery | TUF secures distribution. Sealed secures the build. |
| Nix/Guix | Deterministic reproducible package managers | Sealed wraps your existing pip workflow. |
Zero-config, single-command, full-stack. Two commands to start:
pip install alia-sealed
sealed install <package>
sealed/
chain.py Provenance chain (SHA-256 hashing, environment fingerprinting)
source.py PyPI source fetcher (rejects wheels, verifies hashes)
builder.py Isolated builder with attestation and source audit
attestation.py Software attestation + TPM 2.0 (when available)
audit_source.py Source scanner (patterns, CVEs, setup.py analysis)
seal.py Ed25519 signing authority
verify.py End-to-end verifier
resolver.py Recursive dependency resolver (topological ordering)
registry.py SQLite seal store (TOFU key pinning, export/import)
policy.py Trust policy engine (multi-party, attestation, revocation)
keystore.py Encrypted key storage (PBKDF2 + NaCl SecretBox)
reproduce.py Reproducibility checker (build twice, compare)
sandbox.py Behavioral sandbox (monitor imports in isolation)
consensus.py Consensus builds (N builds, majority vote)
watchdog.py Runtime integrity watchdog (post-install hash check)
trust_graph.py Trust graph with scored weak-link analysis
transparency.py Append-only hash-chained transparency log
ecosystem.py Multi-ecosystem adapters (pip, npm, cargo)
os_keychain.py OS keychain (Windows DPAPI, macOS Keychain, Linux libsecret)
lockfile.py Lockfile for reproducible team installs
cli.py 13 CLI commands
Every sealed package carries a 5-step chain:
| Step | What It Records | What It Proves |
|---|---|---|
environment_attestation |
Python, compiler, OS, CPU, env vars, TPM PCRs | Build machine state is known |
source_audit |
Pattern scan + CVE check + setup.py analysis | Source was scanned for known dangers |
source_verify |
Archive hash vs PyPI registry hash | Source wasn't modified after download |
toolchain_capture |
Python interpreter hash | Exact compiler that built the artifact |
build |
Source dir hash in, artifact hash out | Binary came from this exact source |
Environment, all records, and package identity are hashed into the chain. Signed with Ed25519. One bit changed = signature fails = rejected.
What Sealed catches:
| Threat | How |
|---|---|
| Mirror tampering | SHA-256 fail-closed verification |
| Download MITM | Hash check catches modified bytes |
| Binary modification | Artifact hash in chain |
| Dangerous source | Pattern scanner + CVE check |
| Malicious imports | Behavioral sandbox |
| Malicious setup.py | Setup.py install-time execution scanner |
| Cross-package replay | Package name + version in chain hash |
| Key compromise | TOFU pinning alerts on key change |
| Key theft | Encrypted storage + OS keychain |
| Single signer risk | Multi-party N-of-M verification |
| Post-install tampering | Runtime watchdog |
| Non-reproducible build | Consensus builds |
| Dual signing | Transparency log equivocation detection |
| Pin poisoning | Deferred TOFU commit |
Honest limitations:
- Source audit catches known patterns, not logic bugs or novel techniques
- Behavioral sandbox is Python-level monkey-patching, not kernel isolation
- Consensus builds on one machine verify reproducibility, not independent agreement
- Transparency log is local-only (no gossip protocol)
- Build time scales with package complexity
22 modules. 325 tests. 13 CLI commands. All shipped:
- 5-step provenance chains with Ed25519 signatures
- Environment attestation (software + TPM)
- Source code safety scanning
- Behavioral sandboxing at import time
- Consensus builds (N-build majority vote)
- Runtime integrity watchdog
- Trust graph with weak-link analysis
- Transparency log with equivocation detection
- TOFU key pinning with deferred commit
- Multi-party N-of-M verification
- Encrypted key storage + OS keychain
- Lockfile for team installs
- Multi-ecosystem adapters (pip, npm, cargo)
- Recursive transitive dependency sealing
- SQLite registry with export/import
- CI/CD GitHub Actions workflows
Next:
- Public transparency log with gossip protocol
- Kernel-level sandbox (seccomp/namespaces)
- Cross-machine consensus builds
- Wiki: Quick Start
- Wiki: Use Cases (10 real-world scenarios)
- Wiki: Code Snippets (12 copy-paste examples)
- Wiki: Team Setup
- Wiki: CI/CD Integration
- Wiki: CLI Reference
- Wiki: Security Model
- Wiki: Troubleshooting
- Architecture
- API Reference
- Security
Apache-2.0 | ALIA Labs
Built by Tushar Sharma at ALIA Labs.