MCP.so
Sign In

➡️ attestable-mcp-server

@co-browser

About ➡️ attestable-mcp-server

Verify that any MCP server is running the intended and untampered code via hardware attestation.

Basic information

Category

Other

Runtime

python

Transports

stdio

Publisher

co-browser

Config

No standard config provided

This server doesn't expose a parseable MCP config block in its README. See the repository for install instructions.

Repository

Tools

No tools detected

We auto-extract tools from the README. The maintainer can list them under a ## Tools heading to populate this section.

Overview

What is attestable-mcp-server?

attestable-mcp-server is an MCP (Model Context Protocol) server that can be remotely attested by MCP clients. It uses a trusted execution environment (Intel SGX) and RA-TLS to generate a certificate that proves the server is running the exact code built on GitHub Actions. This enables independent verification of the server’s integrity without trusting the hosting provider.

How to use attestable-mcp-server?

Install dependencies: Intel SGX hardware and SDK, Gramine, Python 3.13, and Ubuntu 22.04. Build the Docker image with docker build -t attestable-mcp-server . and run Gramine commands to produce a signed artifact. Start the server on secure hardware with docker run including SGX device mounts, or on a local machine without SGX. MCP clients connect using standard MCP protocol; the RA-TLS handshake provides attestation automatically.

Key features of attestable-mcp-server

  • MCP clients can remotely attest the code running on any MCP server.
  • MCP servers can optionally remotely attest MCP clients.
  • Uses RA-TLS, an extension to TLS that embeds an SGX quote.
  • Embeds SGX quote in X.509 certificate with TCG DICE “tagged evidence” OID.
  • Enables independent verification via GitHub Actions or local rebuild.
  • Docker image signed by GitHub and built in a TEE.

Use cases of attestable-mcp-server

  • Ensuring an MCP server runs unmodified code in a confidential computing environment.
  • Verifying server integrity before allowing sensitive data or agentic workflows.
  • Auditing code provenance through independently reproducible measurements.
  • Building bidirectional trust between MCP clients and servers.

FAQ from attestable-mcp-server

What is remote attestation?

Remote attestation uses a trusted execution environment to generate a certificate containing measurements of the running code. The MCP client can verify these measurements against known good values from GitHub Actions, proving the server is running the expected code.

What hardware and software dependencies does attestable-mcp-server require?

It requires Intel SGX hardware, Gramine, Python 3.13, Ubuntu 22.04, and the Intel SGX SDK & PSW. For development, emulated SGX can be used without secure hardware.

How can I independently verify the server code?

You can rebuild the Docker image locally on emulated or real SGX hardware and compare the generated measurements. The GitHub Actions workflow also produces signed artifacts that match the running server.

Does attestable-mcp-server support client attestation?

Yes, MCP servers can optionally remotely attest MCP clients, though the README notes that a client demonstration is still in development.

What protocol does attestable-mcp-server use for attestation?

It uses RA-TLS, an extension to TLS that adds machine- and code-specific measurements. The SGX quote is embedded in an X.509 certificate extension using the TCG DICE “tagged evidence” OID.

Comments

More Other MCP servers