diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index ba76f62..7db7281 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -4,9 +4,11 @@ updates:
   directory: "/"
   schedule:
     interval: daily
-  open-pull-requests-limit: 10
 - package-ecosystem: cargo
   directory: "/"
   schedule:
     interval: daily
-  open-pull-requests-limit: 10
+- package-ecosystem: rust-toolchain
+  directory: "/"
+  schedule:
+    interval: daily
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index 2cfcd47..43113fb 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -92,12 +92,13 @@ jobs:
       run: ./demo.sh
 
   publish:
-    if: startsWith(github.ref, 'refs/tags/')
+    if: github.event_name == 'push' && ( startsWith(github.ref, 'refs/tags/v') || github.ref == 'refs/heads/main' )
     needs:
     - test
     permissions:
       contents: write
       packages: write
+      id-token: write
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@v6
@@ -106,7 +107,10 @@ jobs:
       uses: cargo-bins/cargo-binstall@main
     - name: Install wkg
       run: cargo binstall --force wkg
-    - name: Get the version
+    - name: Install cosign
+      uses: sigstore/cosign-installer@v4.1.2
+    - name: Get tag version
+      if: startsWith(github.ref, 'refs/tags/v')
       id: get_version
       run: echo ::set-output name=VERSION::${GITHUB_REF/refs\/tags\//}
     - name: Download components.tar
@@ -125,8 +129,9 @@ jobs:
       run: make publish
       env:
         REPOSITORY: "ghcr.io/${{ github.repository }}"
-        VERSION: "${{ steps.get_version.outputs.VERSION }}"
+        VERSION: "${{ case(github.ref == 'refs/heads/main', 'dev', steps.get_version.outputs.VERSION) }}"
     - name: Draft GitHub Release
+      if: startsWith(github.ref, 'refs/tags/v')
       uses: softprops/action-gh-release@v3
       with:
         draft: true
diff --git a/Makefile b/Makefile
index 4a8b680..1480ddb 100644
--- a/Makefile
+++ b/Makefile
@@ -15,16 +15,25 @@ ifndef REPOSITORY
 endif
 	@$(eval FILE := $(@:publish-%=%))
 	@$(eval COMPONENT := $(FILE:%.wasm=%))
+# 	@$(eval DESCRIPTION := $(shell head -n 3 "lib/${FILE}.md" | tail -n 1))
 	@$(eval REVISION := $(shell git rev-parse HEAD)$(shell git diff --quiet HEAD && echo "+dirty"))
 	@$(eval TAG := $(shell echo "${VERSION}" | sed 's/[^a-zA-Z0-9_.\-]/--/g'))
 
-    # --annotation "org.opencontainers.image.description=${DESCRIPTION}" \
+# 			--annotation "org.opencontainers.image.description=${DESCRIPTION}" \
 
-	wkg oci push \
-        --annotation "org.opencontainers.image.title=${COMPONENT}" \
-        --annotation "org.opencontainers.image.version=${VERSION}" \
-        --annotation "org.opencontainers.image.source=https://github.com/componentized/services.git" \
-        --annotation "org.opencontainers.image.revision=${REVISION}" \
-        --annotation "org.opencontainers.image.licenses=Apache-2.0" \
-        "${REPOSITORY}/${COMPONENT}:${TAG}" \
-        "lib/${FILE}"
+	@echo "::group::${FILE} -> ${REPOSITORY}/${COMPONENT}:${TAG}"
+	@DIGEST=$$( \
+		wkg oci push \
+			--annotation "org.opencontainers.image.title=${COMPONENT}" \
+			--annotation "org.opencontainers.image.version=${VERSION}" \
+			--annotation "org.opencontainers.image.source=https://github.com/${GITHUB_REPOSITORY}.git" \
+			--annotation "org.opencontainers.image.revision=${REVISION}" \
+			--annotation "org.opencontainers.image.licenses=Apache-2.0" \
+			"${REPOSITORY}/${COMPONENT}:${TAG}" \
+			"lib/${FILE}" \
+			2>&1 \
+			| tee /dev/stderr \
+			| grep -o 'sha256:[a-f0-9]\{64\}' \
+	) ; \
+	cosign sign --yes "${REPOSITORY}/${COMPONENT}:${TAG}@$${DIGEST}"
+	@echo "::endgroup::"
diff --git a/README.md b/README.md
index ff637ce..dc6e258 100644
--- a/README.md
+++ b/README.md
@@ -19,9 +19,9 @@ A WASM component services lifecycle.
 ## Build
 
 Prereqs:
-- a rust toolchain with `wasm32-unknown-unknown` and `wasm32-wasip2` targets (`rustup target add wasm32-unknown-unknown` and `rustup target add wasm32-wasip2`)
-- [`cargo component`](https://github.com/bytecodealliance/cargo-component)
+- a rust toolchain
 - [`static-config`](https://github.com/componentized/static-config)
+- [`wasm-tools`](https://github.com/bytecodealliance/wasm-tools)
 - [`wac`](https://github.com/bytecodealliance/wac)
 - [`wkg`](https://github.com/bytecodealliance/wasm-pkg-tools)
 
diff --git a/build.sh b/build.sh
index a2d62a5..71015ae 100755
--- a/build.sh
+++ b/build.sh
@@ -16,66 +16,65 @@ wkg wit build -o "${SCRIPT_DIR}/lib/interface.wasm"
 
 # core components
 
-cargo component build -p credential-config --release --target wasm32-unknown-unknown
-cp "${SCRIPT_DIR}/target/wasm32-unknown-unknown/release/credential_config.wasm" "${SCRIPT_DIR}/lib/credential-config.wasm"
-cargo component build -p keyvalue-credential-admin --release --target wasm32-unknown-unknown
-cp "${SCRIPT_DIR}/target/wasm32-unknown-unknown/release/keyvalue_credential_admin.wasm" "${SCRIPT_DIR}/lib/keyvalue-credential-admin.wasm"
-cargo component build -p keyvalue-credential-store --release --target wasm32-unknown-unknown
-cp "${SCRIPT_DIR}/target/wasm32-unknown-unknown/release/keyvalue_credential_store.wasm" "${SCRIPT_DIR}/lib/keyvalue-credential-store.wasm"
-cargo component build -p lifecycle-host-cli --release --target wasm32-unknown-unknown
-cp "${SCRIPT_DIR}/target/wasm32-unknown-unknown/release/lifecycle_host_cli.wasm" "${SCRIPT_DIR}/lib/lifecycle-host-cli.wasm"
-cargo component build -p lifecycle-host-http --release --target wasm32-unknown-unknown
-cp "${SCRIPT_DIR}/target/wasm32-unknown-unknown/release/lifecycle_host_http.wasm" "${SCRIPT_DIR}/lib/lifecycle-host-http.wasm"
+cargo build -p credential-config --release --target wasm32-unknown-unknown
+wasm-tools component new "${SCRIPT_DIR}/target/wasm32-unknown-unknown/release/credential_config.wasm" -o "${SCRIPT_DIR}/lib/credential-config.wasm"
+cargo build -p keyvalue-credential-admin --release --target wasm32-unknown-unknown
+wasm-tools component new "${SCRIPT_DIR}/target/wasm32-unknown-unknown/release/keyvalue_credential_admin.wasm" -o "${SCRIPT_DIR}/lib/keyvalue-credential-admin.wasm"
+cargo build -p keyvalue-credential-store --release --target wasm32-unknown-unknown
+wasm-tools component new "${SCRIPT_DIR}/target/wasm32-unknown-unknown/release/keyvalue_credential_store.wasm" -o "${SCRIPT_DIR}/lib/keyvalue-credential-store.wasm"
+cargo build -p lifecycle-host-cli --release --target wasm32-unknown-unknown
+wasm-tools component new "${SCRIPT_DIR}/target/wasm32-unknown-unknown/release/lifecycle_host_cli.wasm" -o "${SCRIPT_DIR}/lib/lifecycle-host-cli.wasm"
+cargo build -p lifecycle-host-http --release --target wasm32-unknown-unknown
+wasm-tools component new "${SCRIPT_DIR}/target/wasm32-unknown-unknown/release/lifecycle_host_http.wasm" -o "${SCRIPT_DIR}/lib/lifecycle-host-http.wasm"
 
 # filesystem components
 
-cargo component build -p filesystem-lifecycle --release --target wasm32-wasip2
+cargo build -p filesystem-lifecycle --release --target wasm32-wasip2
 cp "${SCRIPT_DIR}/target/wasm32-wasip2/release/filesystem_lifecycle.wasm" "${SCRIPT_DIR}/lib/filesystem-lifecycle.wasm"
-cargo component build -p filesystem-credential-store --release --target wasm32-wasip2
+cargo build -p filesystem-credential-store --release --target wasm32-wasip2
 cp "${SCRIPT_DIR}/target/wasm32-wasip2/release/filesystem_credential_store.wasm" "${SCRIPT_DIR}/lib/filesystem-credential-store.wasm"
-cargo component build -p filesystem-credential-admin --release --target wasm32-wasip2
+cargo build -p filesystem-credential-admin --release --target wasm32-wasip2
 cp "${SCRIPT_DIR}/target/wasm32-wasip2/release/filesystem_credential_admin.wasm" "${SCRIPT_DIR}/lib/filesystem-credential-admin.wasm"
 
-
 # valkey components
 
-cargo component build -p valkey-lifecycle --release --target wasm32-wasip2
+cargo build -p valkey-lifecycle --release --target wasm32-wasip2
 wac plug "${SCRIPT_DIR}/target/wasm32-wasip2/release/valkey_lifecycle.wasm" --plug "${SCRIPT_DIR}/lib/deps/valkey-client.wasm" -o "${SCRIPT_DIR}/lib/valkey-lifecycle.wasm"
 wac plug "${SCRIPT_DIR}/lib/keyvalue-credential-store.wasm" --plug "${SCRIPT_DIR}/lib/deps/valkey-client.wasm" -o "${SCRIPT_DIR}/lib/valkey-credential-store.wasm"
 wac plug "${SCRIPT_DIR}/lib/keyvalue-credential-admin.wasm" --plug "${SCRIPT_DIR}/lib/deps/valkey-client.wasm" -o "${SCRIPT_DIR}/lib/valkey-credential-admin.wasm"
 
-
 # webhook components
 
-cargo component build -p webhook-credential-admin --release --target wasm32-unknown-unknown
-cp "${SCRIPT_DIR}/target/wasm32-unknown-unknown/release/webhook_credential_admin.wasm" "${SCRIPT_DIR}/lib/webhook-credential-admin.wasm"
-cargo component build -p webhook-credential-store --release --target wasm32-unknown-unknown
-cp "${SCRIPT_DIR}/target/wasm32-unknown-unknown/release/webhook_credential_store.wasm" "${SCRIPT_DIR}/lib/webhook-credential-store.wasm"
+cargo build -p webhook-credential-admin --release --target wasm32-unknown-unknown
+wasm-tools component new "${SCRIPT_DIR}/target/wasm32-unknown-unknown/release/webhook_credential_admin.wasm" -o "${SCRIPT_DIR}/lib/webhook-credential-admin.wasm"
+cargo build -p webhook-credential-store --release --target wasm32-unknown-unknown
+wasm-tools component new "${SCRIPT_DIR}/target/wasm32-unknown-unknown/release/webhook_credential_store.wasm" -o "${SCRIPT_DIR}/lib/webhook-credential-store.wasm"
 
 # test components
+
 cp "${SCRIPT_DIR}/lib/deps/filesystem-chroot.wasm" "${SCRIPT_DIR}/lib/test/filesystem-client.wasm"
 cp "${SCRIPT_DIR}/lib/deps/valkey-client.wasm" "${SCRIPT_DIR}/lib/test/keyvalue-client.wasm"
-cargo component build -p filesystem-ops --release --target wasm32-wasip2
+cargo build -p filesystem-ops --release --target wasm32-wasip2
 cp "${SCRIPT_DIR}/target/wasm32-wasip2/release/filesystem_ops.wasm" "${SCRIPT_DIR}/lib/test/filesystem-ops.wasm"
-cargo component build -p keyvalue-ops --release --target wasm32-unknown-unknown
-cp "${SCRIPT_DIR}/target/wasm32-unknown-unknown/release/keyvalue_ops.wasm" "${SCRIPT_DIR}/lib/test/keyvalue-ops.wasm"
-cargo component build -p lifecycle-router --release --target wasm32-unknown-unknown
-cp "${SCRIPT_DIR}/target/wasm32-unknown-unknown/release/lifecycle_router.wasm" "${SCRIPT_DIR}/lib/test/lifecycle-router.wasm"
-cargo component build -p ops-router --release --target wasm32-unknown-unknown
-cp "${SCRIPT_DIR}/target/wasm32-unknown-unknown/release/ops_router.wasm" "${SCRIPT_DIR}/lib/test/ops-router.wasm"
-cargo component build -p service-cli --release --target wasm32-wasip2
+cargo build -p keyvalue-ops --release --target wasm32-unknown-unknown
+wasm-tools component new "${SCRIPT_DIR}/target/wasm32-unknown-unknown/release/keyvalue_ops.wasm" -o "${SCRIPT_DIR}/lib/test/keyvalue-ops.wasm"
+cargo build -p lifecycle-router --release --target wasm32-unknown-unknown
+wasm-tools component new "${SCRIPT_DIR}/target/wasm32-unknown-unknown/release/lifecycle_router.wasm" -o "${SCRIPT_DIR}/lib/test/lifecycle-router.wasm"
+cargo build -p ops-router --release --target wasm32-unknown-unknown
+wasm-tools component new "${SCRIPT_DIR}/target/wasm32-unknown-unknown/release/ops_router.wasm" -o "${SCRIPT_DIR}/lib/test/ops-router.wasm"
+cargo build -p service-cli --release --target wasm32-wasip2
 cp "${SCRIPT_DIR}/target/wasm32-wasip2/release/service-cli.wasm" "${SCRIPT_DIR}/lib/test/service-cli.wasm"
 
 # stub components
 
-cargo component build -p stub-lifecycle --release --target wasm32-unknown-unknown
-cp "${SCRIPT_DIR}/target/wasm32-unknown-unknown/release/stub_lifecycle.wasm" "${SCRIPT_DIR}/lib/test/stub-lifecycle.wasm"
-cargo component build -p stub-client --release --target wasm32-unknown-unknown
-cp "${SCRIPT_DIR}/target/wasm32-unknown-unknown/release/stub_client.wasm" "${SCRIPT_DIR}/lib/test/stub-client.wasm"
-cargo component build -p stub-credential-admin --release --target wasm32-unknown-unknown
-cp "${SCRIPT_DIR}/target/wasm32-unknown-unknown/release/stub_credential_admin.wasm" "${SCRIPT_DIR}/lib/test/stub-credential-admin.wasm"
-cargo component build -p stub-credential-store --release --target wasm32-unknown-unknown
-cp "${SCRIPT_DIR}/target/wasm32-unknown-unknown/release/stub_credential_store.wasm" "${SCRIPT_DIR}/lib/test/stub-credential-store.wasm"
+cargo build -p stub-lifecycle --release --target wasm32-unknown-unknown
+wasm-tools component new "${SCRIPT_DIR}/target/wasm32-unknown-unknown/release/stub_lifecycle.wasm" -o "${SCRIPT_DIR}/lib/test/stub-lifecycle.wasm"
+cargo build -p stub-client --release --target wasm32-unknown-unknown
+wasm-tools component new "${SCRIPT_DIR}/target/wasm32-unknown-unknown/release/stub_client.wasm" -o "${SCRIPT_DIR}/lib/test/stub-client.wasm"
+cargo build -p stub-credential-admin --release --target wasm32-unknown-unknown
+wasm-tools component new "${SCRIPT_DIR}/target/wasm32-unknown-unknown/release/stub_credential_admin.wasm" -o "${SCRIPT_DIR}/lib/test/stub-credential-admin.wasm"
+cargo build -p stub-credential-store --release --target wasm32-unknown-unknown
+wasm-tools component new "${SCRIPT_DIR}/target/wasm32-unknown-unknown/release/stub_credential_store.wasm" -o "${SCRIPT_DIR}/lib/test/stub-credential-store.wasm"
 
 wac compose -o "${SCRIPT_DIR}/lib/test/logging.wasm" \
     -d componentized:logger="${SCRIPT_DIR}/lib/deps/logger.wasm" \