Search for an entry by artifact hash using rekor-cli search --sha <sha256-hash-of-artifact> against https://rekor.sigstore.dev
Retrieve the full entry with rekor-cli get --uuid <uuid> to obtain the entry body, log index, and inclusion proof
Inspect the inclusion proof fields (hashes and tree size) returned in the JSON output to confirm the entry is anchored in the Merkle tree
Use rekor-cli verify --artifact <file> --signature <sig-file> --public-key <key-file> to perform a combined signature and inclusion proof check
Alternatively call the Rekor REST API directly: GET https://rekor.sigstore.dev/api/v1/log/entries/<uuid> to retrieve the entry in JSON and validate the inclusion proof programmatically
Known gotchas
Rekor UUIDs are derived from the log entry hash and can be obtained from the signature annotation on a signed OCI image or from the rekor-cli search output; they are not the same as an artifact hash
Inclusion proofs use Merkle tree hashes that must be recomputed and compared against the stored root hash; do not treat a 200 HTTP response alone as proof of valid inclusion
The public Rekor instance at rekor.sigstore.dev is operated as a best-effort public good; for production audit requirements, run a private Rekor instance or archive inclusion proof bundles offline
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp