Dependable software engineering: Can we increase trust in our components?

The complexity of the modern Software Supply Chain (SSC) introduces significant risks regarding the provenance and integrity of third-party dependencies. Current composition solutions often lack granular visibility into the artifacts they execute, relying on implicit trust in centralized registries. This paper introduces a security architecture designed to enforce explicit trust in software compositions. We define the concept of Verifiable Components , which bundle executable bytecode with cryptographically signed Software Bills of Materials (SBOMs) and audit metadata. Leveraging the nested structure of the WebAssembly Component Model, we propose a recursive verification protocol that validates the integrity of the entire dependency tree at runtime. We provide a formal proof using structural induction to demonstrate that, under standard cryptographic assumptions, our protocol eliminates the possibility of component tampering or masquerading. Furthermore, we present Wasmshield , a Rust-based prototype integrated with the Wasmtime runtime. Our evaluation shows that while generating verifiable components incurs a compilation overhead of approximately 42%, the architecture provides robust, runtime-agnostic integrity guarantees that effectively mitigate supply chain attacks.