Secure signatures without a private key
Summary
This article explores a method to attach cryptographic signatures to build artifacts without exposing a private key, using ECDSA public key recovery. It discusses the reproducibility problem, why SGX-based attestation was insufficient, and presents a fixed signature approach that lets verifiers reconstruct the per-artifact public key and compare embedded digests for authenticity.