attestable

The attestable-mcp-server is an MCP server that supports remote attestation via RA-TLS. It runs inside a trusted execution environment (TEEs) to generate a certificate that evidences the exact code running inside the enclave, which is then presented during the TLS handshake to MCP clients. This enables MCP clients to verify that they are communicating with the intended server build. On a local development setup, you can start the server using Docker, exposing port 8000 for client connections. The server is designed to work with the MTLS/RA-TLS flow and can be run on secure hardware or emulated environments. Clients can verify the attested measurements and, if desired, perform mutual attestation with the server before exchanging data.

To interact with or test the server, run the Docker image provided (gsc-attestable-mcp-server) and connect to it over TLS on port 8000. The build/CI flow in this project demonstrates producing attested artifacts and validating the measurements, enabling independent verification of the same values whether running on secure hardware or in an emulated environment. The tooling around the server focuses on providing a securely attested endpoint for MCP clients to trust and optionally allow attestation of clients as well.

Tools and capabilities you can expect to leverage include: containerized deployment via Docker, RA-TLS-based attestation during TLS handshakes, and the ability to reproduce attestation results locally or on secure hardware by using the corresponding Gramine-based workflow described in the project’s quickstart.

Prerequisites:

• Docker installed and running on your host
• Access to the attestable-mcp-server image (gsc-attestable-mcp-server) or a build workflow that produces it

Step-by-step installation:

1. Install Docker

   • macOS: install Docker Desktop from https://www.docker.com/products/docker-desktop
   • Linux: follow your distro’s Docker installation guide (e.g., apt/yum packages)
   • Windows: install Docker Desktop and enable WSL 2 integration

2. Pull or build the attestable MCP server image

   • Pull the prebuilt image from your registry (if available): docker pull gsc-attestable-mcp-server
   • Or build locally if you have a Dockerfile in the repository: docker build -t gsc-attestable-mcp-server .

3. Run the MCP server

   • Start the server on port 8000 (accessible to MCP clients): docker run -p 8000:8000 --rm gsc-attestable-mcp-server

4. Verify the server is running

   • Check logs produced by Docker: docker ps and docker logs <container_id>
   • Ensure port 8000 is listening and can be reached by an MCP client

Optional: Running on secure hardware

• The repository describes a workflow to run the server inside a Gramine-based enclave and sign the image for attestation. If you’re reproducing the secure hardware path, follow the Gramine-based steps in the project’s Quickstart, adjust the Docker run to include device mappings, and ensure the enclave/key material is available to the container as required by your environment.

Notes and tips:

• The server supports RA-TLS, enabling clients to verify the server’s code identity and measurements during TLS handshakes. This is useful for ensuring the authenticity of the service you’re connecting to.
• If you plan to run in secure hardware, you’ll typically follow the Gramine-based workflow described in the Quickstart to build, sign, and run an attested image.
• Ensure that your environment provides access to SGX-enabled hardware or emulation if you intend to test the full remote attestation flow.
• The Docker approach exposes port 8000 to MCP clients; adjust firewall rules accordingly in production.
• If you want to enable mutual attestation (server attesting clients), verify the MCP client supports RA-TLS and configure any required client attestation options as per the MCP specification.
• In CI contexts, you can reproduce the same attestation values locally by validating the same artifacts produced by the workflow, ensuring consistent verification results across environments.