Secure Tool Manifest and Digital Signing Solution for Verifiable MCP and LLM Pipelines
Saeid Jamshidi, Kawser Wazed Nafi, Arghavan Moradi Dakhel, Foutse Khomh, Amin Nikanjam, Mohammad Adnan Hamdaqa
TL;DR
This work tackles the lack of verifiability in LLM tool execution by extending the Model Context Protocol with cryptographically signed manifests, append-only transparency logs, and probabilistic auditing. The Secure Tool Manifest and Digital Signing framework implements a six-stage pipeline (manifest creation, policy enforcement, verification, logging, auditing, metrics) with formal cryptographic guarantees and scalability analyses, achieving near-linear scalability ($R^2=0.998$) and robust end-to-end accountability. Key findings include balanced model utilization ($\mathcal{F}\approx0.97$), stable verification latency, and adaptive enforcement that scales with workload while constraining overhead to below $5\%$ across tested sizes. The framework provides a reproducible, auditable basis for secure LLM deployment in regulated environments, enabling transparent verification, fair resource distribution, and resilience to adversarial manipulation.
Abstract
Large Language Models (LLMs) are increasingly adopted in sensitive domains such as healthcare and financial institutions' data analytics; however, their execution pipelines remain vulnerable to manipulation and unverifiable behavior. Existing control mechanisms, such as the Model Context Protocol (MCP), define compliance policies for tool invocation but lack verifiable enforcement and transparent validation of model actions. To address this gap, we propose a novel Secure Tool Manifest and Digital Signing Framework, a structured and security-aware extension of Model Context Protocols. The framework enforces cryptographically signed manifests, integrates transparent verification logs, and isolates model-internal execution metadata from user-visible components to ensure verifiable execution integrity. Furthermore, the evaluation demonstrates that the framework scales nearly linearly (R-squared = 0.998), achieves near-perfect acceptance of valid executions while consistently rejecting invalid ones, and maintains balanced model utilization across execution pipelines.
