attestable-mcp-server

This project contains an MCP Server that is remotely attestable by MCP clients. To achieve this, a trusted execution environment is used, which generates a certificate representing the currently-running code of the attestable-mcp-server. The attestable-mcp-server sends this certificate in the TLS handshake to an MCP client before connecting that proves the code it's running is the same code built on github actions, and can be independently validated by building and running the code locally on emulated hardware or secure hardware; these values will be the same. The protocol used for client <-> server remote attestation is RA-TLS, an extension to TLS that adds machine and code specific measurements that can be verified by an MCP client. The most important concept behind this RA-TLS certificate is that it embeds an SGX quote in the standardized X.509 extension field with the TCG DICE "tagged evidence" OID, which in turn embeds the SGX report and the complete Intel SGX certificate chain. In addition to the SGX quote, the certificate also contains the evidence claims, with the most important one being the "pubkey-hash" claim that contains the hash of the ephemeral public key (in DER format) generated by the TEE of the memory image of the running MCP server.