6.2 Cryptographic Integrity Verification

Description

Component integrity MUST be cryptographically verified using signatures or checksums.

Rationale

Without verification, attackers can tamper with components in transit or at rest.

Audit Procedure

1. Check for signature verification
2. Verify checksums are validated
3. Check lockfiles include integrity hashes

Remediation

1. Enable integrity checking in package managers
2. Verify MCP server signatures
3. Use sigstore/cosign for containers

Framework Mappings