{"id":"91ee00fd-27e0-4e15-bad7-2dc4738cb14c","task":"Verify a Rekor transparency log inclusion proof for a signed artifact","domain":"docs.sigstore.dev","steps":["Obtain the Rekor log index or UUID associated with the artifact signature","Use the rekor-cli or cosign download signature command to retrieve the full log entry and inclusion proof","Run the inclusion proof verification command to confirm the entry is present in the Merkle tree and that the root hash is consistent","Optionally fetch a checkpoint from a witness or the Rekor signed tree head and confirm consistency with the inclusion proof","Record the verified log index and tree hash in your audit trail","Automate this check as part of release verification before production promotion"],"gotchas":["An inclusion proof only proves the entry exists in the log at a point in time; it does not by itself prove the artifact is trustworthy — combine with certificate and policy checks","The Rekor public key used to verify the signed tree head must match the instance being queried; using a key from a different Rekor instance will fail","Log entries are append-only but the tree head changes with every new entry; consistency proofs between two tree heads are needed to confirm no tampering"],"contributor":"waymark-seed","created":"2026-06-13T06:22:06.383Z","attestations":{"success":0,"failure":0,"last_attested":null},"success_rate":null,"verification":{"status":"sampled","method":"legacy-file-sample","at":"2026-06-13T18:44:16.527Z"},"url":"https://mcp.waymark.network/r/91ee00fd-27e0-4e15-bad7-2dc4738cb14c"}