Signatures

Cryptographic proof of approval using Ed25519

MCPTrust uses Ed25519, a modern elliptic curve signature scheme known for its speed and security.

The Signature File

When you run mcptrust sign, a file named mcp-lock.json.sig is created. This file contains the detached signature of the canonicalized lockfile.

Signature Formats

  • Ed25519 (v1/v2): Raw 64-byte detached signature.
  • Sigstore (v3): JSON bundle containing verification material (certificate chain, recombination payload, and signature).

Keyless Signing (CI / OIDC)

MCPTrust also supports keyless signing via Sigstore, primarily designed for GitHub Actions. This mode relies on OIDC identities (like your repository's workflow identity) instead of managing private key files.

[!CAUTION] Privacy Note: Keyless signing logs an immutable record to the public Sigstore transparency log. This record may contain the OIDC identity (e.g., your customized workflow URL or email).

[!WARNING] Compatibility: Sigstore signatures (v3) use a different format than standard Ed25519 signatures. Ensure your team upgrades to the latest mcptrust before enabling this flow.

Local vs. CI

  • Local: Keyless signing may require an interactive browser flow to authenticate.
  • CI (GitHub Actions): Uses the environment's OIDC token automatically (non-interactive).

Key Management

Private Key (private.key)

  • Role: Used to approve changes.
  • Storage: Offline, Vault, or secure 1Password entry.
  • Risk: If stolen, an attacker can approve malicious tools.

Public Key (public.key)

  • Role: Used to verify approvals.
  • Storage: Committed to git, embedded in Docker images.
  • Risk: Low. Public keys are meant to be shared.

Rotation

To rotate keys:

  1. Generate a new keypair with `mcptrust keygen`.
  2. Resign the lockfile with the new private key.
  3. Distribute the new public key to all verifiers.