diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index c374ac9..2e1e87d 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -13,6 +13,21 @@ jobs:
     steps:
       - uses: actions/checkout@v6
 
+      - name: Checkout spec repository
+        uses: actions/checkout@v4
+        with:
+          repository: IntentProof/intentproof-spec
+          ref: main
+          path: intentproof-spec
+
+      - name: Ensure spec sdk-signing golden checkout
+        run: |
+          if [[ -d intentproof-spec/golden/sdk-signing ]]; then
+            exit 0
+          fi
+          git -C intentproof-spec fetch origin phase3-ecosystem-conformance
+          git -C intentproof-spec checkout FETCH_HEAD
+
       - uses: actions/setup-python@v6
         with:
           python-version: '3.11'
@@ -22,4 +37,11 @@ jobs:
           pip install -e ".[dev]"
 
       - name: Run tests with coverage
+        env:
+          INTENTPROOF_SPEC_DIR: intentproof-spec
         run: bash ./scripts/run-coverage-gate.sh
+
+      - name: Verify sdk-signing fixtures synced with spec
+        env:
+          INTENTPROOF_SPEC_DIR: intentproof-spec
+        run: bash ./scripts/check-sdk-signing-fixtures-sync.sh
diff --git a/scripts/check-sdk-signing-fixtures-sync.sh b/scripts/check-sdk-signing-fixtures-sync.sh
new file mode 100755
index 0000000..44acef8
--- /dev/null
+++ b/scripts/check-sdk-signing-fixtures-sync.sh
@@ -0,0 +1,38 @@
+#!/usr/bin/env bash
+# Fail when mirrored SDK signing fixtures drift from intentproof-spec.
+set -euo pipefail
+
+ROOT="$(cd "$(dirname "$0")/.." && pwd)"
+LOCAL="${ROOT}/tests/fixtures"
+CANONICAL="${INTENTPROOF_SPEC_DIR:?INTENTPROOF_SPEC_DIR must point at intentproof-spec}/golden/sdk-signing"
+
+if [[ ! -d "$CANONICAL" ]]; then
+  echo "canonical sdk-signing fixtures not found at ${CANONICAL}" >&2
+  exit 1
+fi
+
+shopt -s nullglob
+files=("${CANONICAL}"/signing_*)
+if [[ ${#files[@]} -eq 0 ]]; then
+  echo "no signing fixtures under ${CANONICAL}" >&2
+  exit 1
+fi
+
+fail=0
+for canonical in "${files[@]}"; do
+  base="$(basename "$canonical")"
+  local_path="${LOCAL}/${base}"
+  if [[ ! -f "$local_path" ]]; then
+    continue
+  fi
+  if ! cmp -s "$canonical" "$local_path"; then
+    echo "sdk-signing fixture drift: ${base} differs from spec golden/sdk-signing" >&2
+    fail=1
+  fi
+done
+
+if [[ "$fail" -ne 0 ]]; then
+  exit 1
+fi
+
+echo "PASS: sdk-signing fixture mirrors match spec golden."
diff --git a/tests/test_sdk.py b/tests/test_sdk.py
index e396c2a..6a81e53 100644
--- a/tests/test_sdk.py
+++ b/tests/test_sdk.py
@@ -4,6 +4,7 @@
 
 import base64
 import json
+import os
 import tempfile
 import threading
 from pathlib import Path
@@ -287,8 +288,15 @@ def fake_post(url: str, event: dict) -> None:
         assert len(posted) == 1
 
 
+def _signing_fixture_dir() -> Path:
+    spec_dir = os.environ.get("INTENTPROOF_SPEC_DIR", "").strip()
+    if spec_dir:
+        return Path(spec_dir) / "golden" / "sdk-signing"
+    return Path(__file__).parent / "fixtures"
+
+
 def test_signing_golden_bytes() -> None:
-    fixture_dir = Path(__file__).parent / "fixtures"
+    fixture_dir = _signing_fixture_dir()
     unsigned = json.loads(
         (fixture_dir / "signing_unsigned_event.json").read_text(encoding="utf-8")
     )