Sigstore Cosign MCP
Keyless artefact signing with Fulcio + Rekor. Transparent supply-chain provenance.
Install
# Option 1 — uvx (no install) uvx sigstore-cosign-mcp # Option 2 — pip pip install sigstore-cosign-mcp # Option 3 — npx meok-setup install (recommended) npx meok-setup --pack cybersec
What it does
- ✓Keyless OIDC signing
- ✓Rekor transparency log
- ✓Cosign verify + bundle
- ✓RFC 3161 timestamps
Claude Desktop config
{
"mcpServers": {
"sigstore-cosign": {
"command": "uvx",
"args": ["sigstore-cosign-mcp"]
}
}
}Part of the MEOK governance MCP suite — see all 38 servers
MIT licensed · HMAC-signed attestations · Built by MEOK AI Labs