Question
Design a software-supply-chain artifact-signing and provenance system for an organization producing 50K build artifacts/day (containers, packages, binaries). Every artifact must be cryptographically signed, carry verifiable provenance (which source commit, which build, which inputs), and be admission-checked at deploy time so unsigned or tampered artifacts can't reach production. Threat model: a compromised build agent injecting malware, a developer pushing a malicious dependency, and stolen signing keys. Constraints: signing must not bottleneck CI (sub-second per artifact), keys must be protected, and verification must work air-gapped. Cover the signing flow, provenance generation, key model, and admission control.
Clarify scale and constraints first. Propose a clean component breakdown, then go deep on the hard parts — data model, bottlenecks, consistency, failure modes — and name the trade-offs you are making.