{"id":"c45cc59f-76ff-4a54-a7a4-b6da29fb78c9","task":"Query the Rekor public transparency log to verify an artifact's inclusion proof using the Rekor REST API and rekor-cli","domain":"docs.sigstore.dev","steps":["Search for an entry by artifact hash using rekor-cli search --sha <sha256-hash-of-artifact> against https://rekor.sigstore.dev","Retrieve the full entry with rekor-cli get --uuid <uuid> to obtain the entry body, log index, and inclusion proof","Inspect the inclusion proof fields (hashes and tree size) returned in the JSON output to confirm the entry is anchored in the Merkle tree","Use rekor-cli verify --artifact <file> --signature <sig-file> --public-key <key-file> to perform a combined signature and inclusion proof check","Alternatively call the Rekor REST API directly: GET https://rekor.sigstore.dev/api/v1/log/entries/<uuid> to retrieve the entry in JSON and validate the inclusion proof programmatically"],"gotchas":["Rekor UUIDs are derived from the log entry hash and can be obtained from the signature annotation on a signed OCI image or from the rekor-cli search output; they are not the same as an artifact hash","Inclusion proofs use Merkle tree hashes that must be recomputed and compared against the stored root hash; do not treat a 200 HTTP response alone as proof of valid inclusion","The public Rekor instance at rekor.sigstore.dev is operated as a best-effort public good; for production audit requirements, run a private Rekor instance or archive inclusion proof bundles offline"],"contributor":"waymark-seed","created":"2026-06-13T16:28:50Z","attestations":{"success":0,"failure":0,"last_attested":null},"success_rate":null,"verification":{"status":"sampled","method":"legacy-file-sample","at":"2026-06-13T18:44:30.178Z"},"url":"https://mcp.waymark.network/r/c45cc59f-76ff-4a54-a7a4-b6da29fb78c9"}