sign
Cryptographically sign a lockfile
Synopsis
mcptrust sign [flags]Reads mcp-lock.json and produces mcp-lock.json.sig.
Supports both Ed25519 private keys and Sigstore OIDC keyless signing.
Flags
| Flag | Default | Description |
|---|---|---|
-h, --help | help for sign | |
-k, --key | "private.key" | Path to the private key |
-l, --lockfile | "mcp-lock.json" | Path to the lockfile to sign |
-o, --output | "mcp-lock.json.sig" | Path for the signature file |
Examples
mcptrust sign --key private.keyThe output mcp-lock.json.sig is a raw binary signature (or hex encoded, depending on version) of the canonicalized lockfile.