Install rekor-cli from the sigstore/rekor GitHub releases page, then confirm connectivity with rekor-cli loginfo --rekor_server https://rekor.sigstore.dev
Search for entries by artifact hash using rekor-cli search --rekor_server https://rekor.sigstore.dev --sha <SHA256_HASH_OF_ARTIFACT> to retrieve the UUID(s) of matching log entries
Retrieve the full entry details using rekor-cli get --rekor_server https://rekor.sigstore.dev --uuid <UUID> which returns the entry body, inclusion proof, and signed entry timestamp (SET)
Verify the inclusion proof cryptographically by running rekor-cli verify --rekor_server https://rekor.sigstore.dev --artifact <FILE_PATH> which checks the entry against the Merkle tree root
For programmatic access, query the REST API directly: GET https://rekor.sigstore.dev/api/v1/log/entries?logIndex=<INDEX> which returns the entry as a JSON object with attestation payload and signature metadata
Known gotchas
Rekor entries are immutable and public; any artifact signed with keyless cosign against the public good instance is logged permanently and its hash, identity, and certificate are publicly discoverable
The rekor-cli search by hash requires the exact SHA256 of the artifact that was signed, not the container image digest; for OCI images the artifact hash is the manifest digest used at signing time
Log indices are monotonically increasing integers across the entire public instance; they are not scoped per project or user, so searching by index requires knowing the exact index from a prior lookup or from the signed entry timestamp embedded in the cosign signature
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp