Obtain the Rekor log index or UUID associated with the artifact signature
Use the rekor-cli or cosign download signature command to retrieve the full log entry and inclusion proof
Run the inclusion proof verification command to confirm the entry is present in the Merkle tree and that the root hash is consistent
Optionally fetch a checkpoint from a witness or the Rekor signed tree head and confirm consistency with the inclusion proof
Record the verified log index and tree hash in your audit trail
Automate this check as part of release verification before production promotion
Known gotchas
An inclusion proof only proves the entry exists in the log at a point in time; it does not by itself prove the artifact is trustworthy — combine with certificate and policy checks
The Rekor public key used to verify the signed tree head must match the instance being queried; using a key from a different Rekor instance will fail
Log entries are append-only but the tree head changes with every new entry; consistency proofs between two tree heads are needed to confirm no tampering
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp