Merge branch 'main' into allow-google-artifact-registry

Author: rdimitrov

.github/workflows/release.yml

@@ -25,7 +25,7 @@ jobs:
           cache: true
 
       - name: Install cosign
-        uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad
+        uses: sigstore/cosign-installer@7e8b541eb2e61bf99390e1afd4be13a184e9ebc5
 
       - name: Install Syft
         uses: anchore/sbom-action/[email protected]

README.md

@@ -6,6 +6,8 @@ The MCP registry provides MCP clients with a list of MCP servers, like an app st
 
 ## Development Status
 
+**2025-10-24 update**: The Registry API has entered an **API freeze (v0.1)** 🎉. For the next month or more, the API will remain stable with no breaking changes, allowing integrators to confidently implement support. This freeze applies to v0.1 while development continues on v0. We'll use this period to validate the API in real-world integrations and gather feedback to shape v1 for general availability. Thank you to everyone for your contributions and patience—your involvement has been key to getting us here!
+
 **2025-09-08 update**: The registry has launched in preview 🎉 ([announcement blog post](https://blog.modelcontextprotocol.io/posts/2025-09-08-mcp-registry-preview/)). While the system is now more stable, this is still a preview release and breaking changes or data resets may occur. A general availability (GA) release will follow later. We'd love your feedback in [GitHub discussions](https://github.com/modelcontextprotocol/registry/discussions/new?category=ideas) or in the [#registry-dev Discord](https://discord.com/channels/1358869848138059966/1369487942862504016) ([joining details here](https://modelcontextprotocol.io/community/communication)).
 
 Current key maintainers:

cmd/publisher/auth/common.go

@@ -3,21 +3,38 @@ package auth
 import (
 	"bytes"
 	"context"
+	"crypto/ecdsa"
 	"crypto/ed25519"
+	"crypto/elliptic"
+	"crypto/rand"
+	"crypto/sha512"
 	"encoding/hex"
 	"encoding/json"
 	"fmt"
 	"io"
+	"math/big"
 	"net/http"
 	"time"
 )
 
+type CryptoAlgorithm string
+
+const (
+	AlgorithmEd25519 CryptoAlgorithm = "ed25519"
+
+	// ECDSA with NIST P-384 curve
+	// public key is in compressed format
+	// signature is in R || S format
+	AlgorithmECDSAP384 CryptoAlgorithm = "ecdsap384"
+)
+
 // CryptoProvider provides common functionality for DNS and HTTP authentication
 type CryptoProvider struct {
-	registryURL string
-	domain      string
-	hexSeed     string
-	authMethod  string
+	registryURL     string
+	domain          string
+	privateKey      string
+	cryptoAlgorithm CryptoAlgorithm
+	authMethod      string
 }
 
 // GetToken retrieves the registry JWT token using cryptographic authentication
@@ -26,38 +43,100 @@ func (c *CryptoProvider) GetToken(ctx context.Context) (string, error) {
 		return "", fmt.Errorf("%s domain is required", c.authMethod)
 	}
 
-	if c.hexSeed == "" {
-		return "", fmt.Errorf("%s private key (hex seed) is required", c.authMethod)
+	if c.privateKey == "" {
+		return "", fmt.Errorf("%s private key (hex) is required", c.authMethod)
 	}
 
-	// Decode hex seed to private key
-	seedBytes, err := hex.DecodeString(c.hexSeed)
+	// Decode private key from hex
+	privateKeyBytes, err := hex.DecodeString(c.privateKey)
 	if err != nil {
-		return "", fmt.Errorf("invalid hex seed format: %w", err)
-	}
-
-	if len(seedBytes) != ed25519.SeedSize {
-		return "", fmt.Errorf("invalid seed length: expected %d bytes, got %d", ed25519.SeedSize, len(seedBytes))
+		return "", fmt.Errorf("invalid hex private key format: %w", err)
 	}
 
-	privateKey := ed25519.NewKeyFromSeed(seedBytes)
-
 	// Generate current timestamp
 	timestamp := time.Now().UTC().Format(time.RFC3339)
-
-	// Sign the timestamp
-	signature := ed25519.Sign(privateKey, []byte(timestamp))
-	signedTimestamp := hex.EncodeToString(signature)
+	signedTimestamp, err := c.signMessage(privateKeyBytes, []byte(timestamp))
+	if err != nil {
+		return "", fmt.Errorf("failed to sign timestamp: %w", err)
+	}
+	signedTimestampHex := hex.EncodeToString(signedTimestamp)
 
 	// Exchange signature for registry token
-	registryToken, err := c.exchangeTokenForRegistry(ctx, c.domain, timestamp, signedTimestamp)
+	registryToken, err := c.exchangeTokenForRegistry(ctx, c.domain, timestamp, signedTimestampHex)
 	if err != nil {
 		return "", fmt.Errorf("failed to exchange %s signature: %w", c.authMethod, err)
 	}
 
 	return registryToken, nil
 }
 
+func (c *CryptoProvider) signMessage(privateKeyBytes []byte, message []byte) ([]byte, error) {
+	switch c.cryptoAlgorithm {
+	case AlgorithmEd25519:
+		if len(privateKeyBytes) != ed25519.SeedSize {
+			return nil, fmt.Errorf("invalid seed length: expected %d bytes, got %d", ed25519.SeedSize, len(privateKeyBytes))
+		}
+
+		privateKey := ed25519.NewKeyFromSeed(privateKeyBytes)
+		signature := ed25519.Sign(privateKey, message)
+		return signature, nil
+	case AlgorithmECDSAP384:
+		if len(privateKeyBytes) != 48 {
+			return nil, fmt.Errorf("invalid seed length for ECDSA P-384: expected 48 bytes, got %d", len(privateKeyBytes))
+		}
+
+		digest := sha512.Sum384(message)
+		curve := elliptic.P384()
+
+		// Parse the raw private key (compatible with Go 1.24)
+		privateKey, err := parseRawPrivateKey(curve, privateKeyBytes)
+		if err != nil {
+			return nil, fmt.Errorf("failed to parse ECDSA private key: %w", err)
+		}
+
+		r, s, err := ecdsa.Sign(rand.Reader, privateKey, digest[:])
+		if err != nil {
+			return nil, fmt.Errorf("failed to sign message: %w", err)
+		}
+		signature := append(r.Bytes(), s.Bytes()...)
+		return signature, nil
+	default:
+		return nil, fmt.Errorf("unsupported crypto algorithm: %s", c.cryptoAlgorithm)
+	}
+}
+
+// parseRawPrivateKey parses a raw ECDSA private key from bytes.
+// This mimics crypto/ecdsa.ParseRawPrivateKey from Go 1.25+ for compatibility with Go 1.24.
+func parseRawPrivateKey(curve elliptic.Curve, privateKeyBytes []byte) (*ecdsa.PrivateKey, error) {
+	if curve == nil {
+		return nil, fmt.Errorf("nil curve")
+	}
+
+	// Only standard NIST curves supported
+	switch curve {
+	case elliptic.P224(), elliptic.P256(), elliptic.P384(), elliptic.P521():
+		// ok
+	default:
+		return nil, fmt.Errorf("unsupported curve")
+	}
+
+	d := new(big.Int).SetBytes(privateKeyBytes)
+	params := curve.Params()
+	if d.Sign() <= 0 || d.Cmp(params.N) >= 0 {
+		return nil, fmt.Errorf("invalid private scalar")
+	}
+
+	x, y := curve.ScalarBaseMult(d.Bytes())
+	return &ecdsa.PrivateKey{
+		PublicKey: ecdsa.PublicKey{
+			Curve: curve,
+			X:     x,
+			Y:     y,
+		},
+		D: d,
+	}, nil
+}
+
 // NeedsLogin always returns false for cryptographic auth since no interactive login is needed
 func (c *CryptoProvider) NeedsLogin() bool {
 	return false

cmd/publisher/auth/dns.go

@@ -5,13 +5,14 @@ type DNSProvider struct {
 }
 
 // NewDNSProvider creates a new DNS-based auth provider
-func NewDNSProvider(registryURL, domain, hexSeed string) Provider {
+func NewDNSProvider(registryURL, domain, privateKey string, cryptoAlgorithm CryptoAlgorithm) Provider {
 	return &DNSProvider{
 		CryptoProvider: &CryptoProvider{
-			registryURL: registryURL,
-			domain:      domain,
-			hexSeed:     hexSeed,
-			authMethod:  "dns",
+			registryURL:     registryURL,
+			domain:          domain,
+			privateKey:      privateKey,
+			cryptoAlgorithm: cryptoAlgorithm,
+			authMethod:      "dns",
 		},
 	}
 }

cmd/publisher/auth/http.go

@@ -5,13 +5,14 @@ type HTTPProvider struct {
 }
 
 // NewHTTPProvider creates a new HTTP-based auth provider
-func NewHTTPProvider(registryURL, domain, hexSeed string) Provider {
+func NewHTTPProvider(registryURL, domain, privateKey string, cryptoAlgorithm CryptoAlgorithm) Provider {
 	return &HTTPProvider{
 		CryptoProvider: &CryptoProvider{
-			registryURL: registryURL,
-			domain:      domain,
-			hexSeed:     hexSeed,
-			authMethod:  "http",
+			registryURL:     registryURL,
+			domain:          domain,
+			privateKey:      privateKey,
+			cryptoAlgorithm: cryptoAlgorithm,
+			authMethod:      "http",
 		},
 	}
 }

cmd/publisher/commands/login.go

@@ -17,6 +17,21 @@ const (
 	TokenFileName      = ".mcp_publisher_token" //nolint:gosec // Not a credential, just a filename
 )
 
+type CryptoAlgorithm auth.CryptoAlgorithm
+
+func (c *CryptoAlgorithm) String() string {
+	return string(*c)
+}
+
+func (c *CryptoAlgorithm) Set(v string) error {
+	switch v {
+	case string(auth.AlgorithmEd25519), string(auth.AlgorithmECDSAP384):
+		*c = CryptoAlgorithm(v)
+		return nil
+	}
+	return fmt.Errorf("invalid algorithm: %q (allowed: ed25519, ecdsap384)", v)
+}
+
 func LoginCommand(args []string) error {
 	if len(args) < 1 {
 		return errors.New("authentication method required\n\nUsage: mcp-publisher login <method>\n\nMethods:\n  github        Interactive GitHub authentication\n  github-oidc   GitHub Actions OIDC authentication\n  dns           DNS-based authentication (requires --domain and --private-key)\n  http          HTTP-based authentication (requires --domain and --private-key)\n  none          Anonymous authentication (for testing)")
@@ -28,13 +43,15 @@ func LoginCommand(args []string) error {
 	loginFlags := flag.NewFlagSet("login", flag.ExitOnError)
 	var domain string
 	var privateKey string
+	var cryptoAlgorithm = CryptoAlgorithm(auth.AlgorithmEd25519)
 	var registryURL string
 
 	loginFlags.StringVar(&registryURL, "registry", DefaultRegistryURL, "Registry URL")
 
 	if method == "dns" || method == "http" {
 		loginFlags.StringVar(&domain, "domain", "", "Domain name")
-		loginFlags.StringVar(&privateKey, "private-key", "", "Private key (64-char hex)")
+		loginFlags.StringVar(&privateKey, "private-key", "", "Private key (hex)")
+		loginFlags.Var(&cryptoAlgorithm, "algorithm", "Cryptographic algorithm (ed25519, ecdsap384)")
 	}
 
 	if err := loginFlags.Parse(args[1:]); err != nil {
@@ -52,12 +69,12 @@ func LoginCommand(args []string) error {
 		if domain == "" || privateKey == "" {
 			return errors.New("dns authentication requires --domain and --private-key")
 		}
-		authProvider = auth.NewDNSProvider(registryURL, domain, privateKey)
+		authProvider = auth.NewDNSProvider(registryURL, domain, privateKey, auth.CryptoAlgorithm(cryptoAlgorithm))
 	case "http":
 		if domain == "" || privateKey == "" {
 			return errors.New("http authentication requires --domain and --private-key")
 		}
-		authProvider = auth.NewHTTPProvider(registryURL, domain, privateKey)
+		authProvider = auth.NewHTTPProvider(registryURL, domain, privateKey, auth.CryptoAlgorithm(cryptoAlgorithm))
 	case "none":
 		authProvider = auth.NewNoneProvider(registryURL)
 	default:

docs/guides/publishing/publish-server.md

@@ -471,6 +471,8 @@ echo "yourcompany.com. IN TXT \"v=MCPv1; k=ed25519; p=$(openssl pkey -in key.pem
 mcp-publisher login dns --domain yourcompany.com --private-key $(openssl pkey -in key.pem -noout -text | grep -A3 "priv:" | tail -n +2 | tr -d ' :\n')
 ```
 
+The ECDSA P-384 crypto algorithm is also supported, along with HTTP-based authenication. See the [publisher CLI commands reference](../../reference/cli/commands.md) for more details.
+
 ## Step 5: Publish Your Server
 
 With authentication complete, publish your server:

docs/reference/cli/commands.md

@@ -80,9 +80,9 @@ mcp-publisher login dns --domain=example.com --private-key=HEX_KEY [--registry=U
 ```
 - Verifies domain ownership via DNS TXT record
 - Grants access to `com.example.*` namespaces
-- Requires Ed25519 private key (64-character hex)
+- Requires Ed25519 private key (64-character hex) or ECDSA P-384 private key (96-character hex)
 
-**Setup:**
+**Setup:** (for Ed25519, recommended)
 ```bash
 # Generate keypair
 openssl genpkey -algorithm Ed25519 -out key.pem
@@ -97,15 +97,30 @@ openssl pkey -in key.pem -pubout -outform DER | tail -c 32 | base64
 openssl pkey -in key.pem -noout -text | grep -A3 "priv:" | tail -n +2 | tr -d ' :\n'
 ```
 
+**Setup:** (for ECDSA P-384)
+```bash
+# Generate keypair
+openssl genpkey -algorithm EC -pkeyopt ec_paramgen_curve:secp384r1 -out key.pem
+
+# Get public key for DNS record
+openssl ec -in key.pem -text -noout -conv_form compressed | grep -A4 "pub:" | tail -n +2 | tr -d ' :\n' | xxd -r -p | base64
+
+# Add DNS TXT record:
+# example.com. IN TXT "v=MCPv1; k=ecdsap384; p=PUBLIC_KEY"
+
+# Extract private key for login
+openssl ec -in <pem path> -noout -text | grep -A4 "priv:" | tail -n +2 | tr -d ' :\n'
+```
+
 #### HTTP Verification
 ```bash
 mcp-publisher login http --domain=example.com --private-key=HEX_KEY [--registry=URL]
 ```
 - Verifies domain ownership via HTTPS endpoint  
 - Grants access to `com.example.*` namespaces
-- Requires Ed25519 private key (64-character hex)
+- Requires Ed25519 private key (64-character hex) or ECDSA P-384 private key (96-character hex)
 
-**Setup:**
+**Setup:** (for Ed25519, recommended)
 ```bash
 # Generate keypair (same as DNS)
 openssl genpkey -algorithm Ed25519 -out key.pem
@@ -115,6 +130,16 @@ openssl genpkey -algorithm Ed25519 -out key.pem
 # Content: v=MCPv1; k=ed25519; p=PUBLIC_KEY
 ```
 
+**Setup:** (for ECDSA P-384)
+```bash
+# Generate keypair (same as DNS)
+openssl genpkey -algorithm EC -pkeyopt ec_paramgen_curve:secp384r1 -out key.pem
+
+# Host public key at:
+# https://example.com/.well-known/mcp-registry-auth
+# Content: v=MCPv1; k=ecdsap384; p=PUBLIC_KEY
+```
+
 #### Anonymous (Testing)
 ```bash
 mcp-publisher login none [--registry=URL]

docs/reference/server-json/generic-server-json.md

@@ -14,6 +14,22 @@ The schema contains all field definitions, validation rules, examples, and detai
 
 The official registry has some more restrictions on top of this. See the [official registry requirements](./official-registry-requirements.md) for details.
 
+## Extension Metadata with `_meta`
+
+The optional `_meta` field allows publishers to include custom metadata alongside their server definitions using reverse DNS namespacing.
+
+```jsonc
+{
+  "_meta": {
+    "io.modelcontextprotocol.registry/publisher-provided": {
+      // Your custom metadata here
+    }
+  }
+}
+```
+
+When publishing to the official registry, custom metadata must be placed under the key `io.modelcontextprotocol.registry/publisher-provided`. See the [official registry requirements](./official-registry-requirements.md) for detailed restrictions and examples.
+
 ## Examples
 
 <!-- As a heads up, these are used as part of tests/integration/main.go -->