#
# Copyright 2021 The Sigstore Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
swagger: "2.0"
info:
title: Rekor
description: Rekor is a cryptographically secure, immutable transparency log for signed software releases.
version: 0.0.1
host: rekor.sigstore.dev
schemes:
- http
consumes:
- application/json
- application/yaml
produces:
- application/json;q=1
- application/yaml
paths:
/api/v1/version:
get:
summary: Get the current version of the rekor server
operationId: getRekorVersion
tags:
- server
responses:
200:
description: A JSON object with the running rekor version
schema:
$ref: '#/definitions/RekorVersion'
default:
$ref: '#/responses/InternalServerError'
/api/v1/index/retrieve:
post:
summary: Searches index by entry metadata
operationId: searchIndex
tags:
- index
parameters:
- in: body
name: query
required: true
schema:
$ref: '#/definitions/SearchIndex'
responses:
200:
description: Returns zero or more entry UUIDs from the transparency log based on search query
schema:
type: array
items:
type: string
description: Entry UUID in transparency log
pattern: '(^[0-9a-fA-F]{64}|[0-9a-fA-F]{80}$)'
400:
$ref: '#/responses/BadContent'
default:
$ref: '#/responses/InternalServerError'
/api/v1/log:
get:
summary: Get information about the current state of the transparency log
description: Returns the current root hash and size of the merkle tree used to store the log entries.
operationId: getLogInfo
tags:
- tlog
responses:
200:
description: A JSON object with the root hash and tree size as properties
schema:
$ref: '#/definitions/LogInfo'
default:
$ref: '#/responses/InternalServerError'
/api/v1/log/publicKey:
get:
summary: Retrieve the public key that can be used to validate the signed tree head
description: Returns the public key that can be used to validate the signed tree head
operationId: getPublicKey
tags:
- pubkey
produces:
- application/x-pem-file
responses:
200:
description: The public key
schema:
type: string
default:
$ref: '#/responses/InternalServerError'
/api/v1/log/proof:
get:
summary: Get information required to generate a consistency proof for the transparency log
description: Returns a list of hashes for specified tree sizes that can be used to confirm the consistency of the transparency log
operationId: getLogProof
tags:
- tlog
parameters:
- in: query
name: firstSize
type: integer
default: 1
minimum: 1
description: >
The size of the tree that you wish to prove consistency from (1 means the beginning of the log)
Defaults to 1 if not specified
- in: query
name: lastSize
type: integer
required: true
minimum: 1
description: The size of the tree that you wish to prove consistency to
responses:
200:
description: All hashes required to compute the consistency proof
schema:
$ref: '#/definitions/ConsistencyProof'
400:
$ref: '#/responses/BadContent'
default:
$ref: '#/responses/InternalServerError'
/api/v1/log/entries:
post:
summary: Creates an entry in the transparency log
description: >
Creates an entry in the transparency log for a detached signature, public key, and content.
Items can be included in the request or fetched by the server when URLs are specified.
operationId: createLogEntry
tags:
- entries
parameters:
- in: body
name: proposedEntry
schema:
$ref: '#/definitions/ProposedEntry'
required: true
responses:
201:
description: Returns the entry created in the transparency log
headers:
ETag:
type: string
description: UUID of log entry
Location:
type: string
description: URI location of log entry
format: uri
schema:
$ref: '#/definitions/LogEntry'
400:
$ref: '#/responses/BadContent'
409:
$ref: '#/responses/Conflict'
default:
$ref: '#/responses/InternalServerError'
get:
summary: Retrieves an entry and inclusion proof from the transparency log (if it exists) by index
operationId: getLogEntryByIndex
tags:
- entries
parameters:
- in: query
name: logIndex
type: integer
required: true
minimum: 0
description: specifies the index of the entry in the transparency log to be retrieved
responses:
200:
description: the entry in the transparency log requested along with an inclusion proof
schema:
$ref: '#/definitions/LogEntry'
404:
$ref: '#/responses/NotFound'
default:
$ref: '#/responses/InternalServerError'
/api/v1/log/entries/{entryUUID}:
get:
summary: Get log entry and information required to generate an inclusion proof for the entry in the transparency log
description: Returns the entry, root hash, tree size, and a list of hashes that can be used to calculate proof of an entry being included in the transparency log
operationId: getLogEntryByUUID
tags:
- entries
parameters:
- in: path
name: entryUUID
type: string
required: true
pattern: '(^[0-9a-fA-F]{64}|[0-9a-fA-F]{80}$)'
description: the UUID of the entry for which the inclusion proof information should be returned
responses:
200:
description: Information needed for a client to compute the inclusion proof
schema:
$ref: '#/definitions/LogEntry'
404:
$ref: '#/responses/NotFound'
default:
$ref: '#/responses/InternalServerError'
/api/v1/log/entries/retrieve:
post:
summary: Searches transparency log for one or more log entries
operationId: searchLogQuery
tags:
- entries
parameters:
- in: body
name: entry
required: true
schema:
$ref: '#/definitions/SearchLogQuery'
responses:
200:
description: Returns zero or more entries from the transparency log, according to how many were included in request query
schema:
type: array
items:
$ref: '#/definitions/LogEntry'
400:
$ref: '#/responses/BadContent'
default:
$ref: '#/responses/InternalServerError'
/api/v1/timestamp:
post:
summary: Generates a new timestamp response and creates a new log entry for the timestamp in the transparency log
operationId: getTimestampResponse
tags:
- timestamp
consumes:
- application/timestamp-query
produces:
- application/timestamp-reply
parameters:
- in: body
name: request
required: true
schema:
type: string
format: binary
responses:
201:
description: Returns a timestamp response and the location of the log entry in the transprency log
schema:
type: string
format: binary
headers:
ETag:
type: string
description: UUID of the log entry made for the timestamp response
Location:
type: string
description: URI location of the log entry made for the timestamp response
format: uri
Index:
type: integer
description: Log index of the log entry made for the timestamp response
400:
$ref: '#/responses/BadContent'
501:
$ref: '#/responses/NotImplemented'
default:
$ref: '#/responses/InternalServerError'
/api/v1/timestamp/certchain:
get:
summary: Retrieve the certfiicate chain for timestamping that can be used to validate trusted timestamps
description: Returns the certfiicate chain for timestamping that can be used to validate trusted timestamps
operationId: getTimestampCertChain
tags:
- timestamp
produces:
- application/pem-certificate-chain
responses:
200:
description: The PEM encoded cert chain
schema:
type: string
404:
$ref: '#/responses/NotFound'
default:
$ref: '#/responses/InternalServerError'
definitions:
ProposedEntry:
type: object
discriminator: kind
properties:
kind:
type: string
required:
- kind
rekord:
type: object
description: Rekord object
allOf:
- $ref: '#/definitions/ProposedEntry'
- properties:
apiVersion:
type: string
pattern: ^(0|[1-9]\d*)\.(0|[1-9]\d*)\.(0|[1-9]\d*)(?:-((?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\.(?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\+([0-9a-zA-Z-]+(?:\.[0-9a-zA-Z-]+)*))?$
spec:
type: object
$ref: 'pkg/types/rekord/rekord_schema.json'
required:
- apiVersion
- spec
additionalProperties: false
hashedrekord:
type: object
description: Hashed Rekord object
allOf:
- $ref: '#/definitions/ProposedEntry'
- properties:
apiVersion:
type: string
pattern: ^(0|[1-9]\d*)\.(0|[1-9]\d*)\.(0|[1-9]\d*)(?:-((?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\.(?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\+([0-9a-zA-Z-]+(?:\.[0-9a-zA-Z-]+)*))?$
spec:
type: object
$ref: 'pkg/types/hashedrekord/hashedrekord_schema.json'
required:
- apiVersion
- spec
additionalProperties: false
rpm:
type: object
description: RPM package
allOf:
- $ref: '#/definitions/ProposedEntry'
- properties:
apiVersion:
type: string
pattern: ^(0|[1-9]\d*)\.(0|[1-9]\d*)\.(0|[1-9]\d*)(?:-((?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\.(?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\+([0-9a-zA-Z-]+(?:\.[0-9a-zA-Z-]+)*))?$
spec:
type: object
$ref: 'pkg/types/rpm/rpm_schema.json'
required:
- apiVersion
- spec
additionalProperties: false
tuf:
type: object
description: TUF metadata
allOf:
- $ref: '#/definitions/ProposedEntry'
- properties:
apiVersion:
type: string
pattern: ^(0|[1-9]\d*)\.(0|[1-9]\d*)\.(0|[1-9]\d*)(?:-((?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\.(?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\+([0-9a-zA-Z-]+(?:\.[0-9a-zA-Z-]+)*))?$
spec:
type: object
$ref: 'pkg/types/tuf/tuf_schema.json'
required:
- apiVersion
- spec
additionalProperties: false
alpine:
type: object
description: Alpine package
allOf:
- $ref: '#/definitions/ProposedEntry'
- properties:
apiVersion:
type: string
pattern: ^(0|[1-9]\d*)\.(0|[1-9]\d*)\.(0|[1-9]\d*)(?:-((?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\.(?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\+([0-9a-zA-Z-]+(?:\.[0-9a-zA-Z-]+)*))?$
spec:
type: object
$ref: 'pkg/types/alpine/alpine_schema.json'
required:
- apiVersion
- spec
additionalProperties: false
helm:
type: object
description: Helm chart
allOf:
- $ref: '#/definitions/ProposedEntry'
- properties:
apiVersion:
type: string
pattern: ^(0|[1-9]\d*)\.(0|[1-9]\d*)\.(0|[1-9]\d*)(?:-((?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\.(?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\+([0-9a-zA-Z-]+(?:\.[0-9a-zA-Z-]+)*))?$
spec:
type: object
$ref: 'pkg/types/helm/helm_schema.json'
required:
- apiVersion
- spec
intoto:
type: object
description: Intoto object
allOf:
- $ref: '#/definitions/ProposedEntry'
- properties:
apiVersion:
type: string
pattern: ^(0|[1-9]\d*)\.(0|[1-9]\d*)\.(0|[1-9]\d*)(?:-((?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\.(?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\+([0-9a-zA-Z-]+(?:\.[0-9a-zA-Z-]+)*))?$
spec:
type: object
$ref: 'pkg/types/intoto/intoto_schema.json'
required:
- apiVersion
- spec
additionalProperties: false
jar:
type: object
description: Java Archive (JAR)
allOf:
- $ref: '#/definitions/ProposedEntry'
- properties:
apiVersion:
type: string
pattern: ^(0|[1-9]\d*)\.(0|[1-9]\d*)\.(0|[1-9]\d*)(?:-((?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\.(?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\+([0-9a-zA-Z-]+(?:\.[0-9a-zA-Z-]+)*))?$
spec:
type: object
$ref: 'pkg/types/jar/jar_schema.json'
required:
- apiVersion
- spec
additionalProperties: false
rfc3161:
type: object
description: RFC3161 Timestamp
allOf:
- $ref: '#/definitions/ProposedEntry'
- properties:
apiVersion:
type: string
pattern: ^(0|[1-9]\d*)\.(0|[1-9]\d*)\.(0|[1-9]\d*)(?:-((?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\.(?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\+([0-9a-zA-Z-]+(?:\.[0-9a-zA-Z-]+)*))?$
spec:
type: object
$ref: 'pkg/types/rfc3161/rfc3161_schema.json'
required:
- apiVersion
- spec
additionalProperties: false
LogEntry:
type: object
additionalProperties:
type: object
properties:
logID:
type: string
pattern: '^[0-9a-fA-F]{64}$'
description: This is the SHA256 hash of the DER-encoded public key for the log at the time the entry was included in the log
logIndex:
type: integer
minimum: 0
body:
type: object
additionalProperties: true
integratedTime:
type: integer
attestation:
type: object
properties:
data:
format: byte
format: byte
verification:
type: object
properties:
inclusionProof:
$ref: '#/definitions/InclusionProof'
signedEntryTimestamp:
type: string
format: byte
# To verify the signedEntryTimestamp:
# 1. Remove the Verification object from the JSON Document
# 2. Canonicalize the remaining JSON document by following RFC 8785 rules
# 3. Verify the canonicalized payload and signedEntryTimestamp against rekor's public key
description: Signature over the logID, logIndex, body and integratedTime.
required:
- "logID"
- "logIndex"
- "body"
- "integratedTime"
RekorVersion:
type: object
properties:
version:
type: string
commit:
type: string
treestate:
type: string
builddate:
type: string
required:
- version
- commit
- treestate
- builddate
SearchIndex:
type: object
properties:
email:
type: string
format: email
publicKey:
type: object
properties:
format:
type: string
enum: ['pgp','x509','minisign', 'ssh', 'tuf']
content:
type: string
format: byte
url:
type: string
format: uri
required:
- "format"
hash:
type: string
pattern: '^(sha256:)?[0-9a-fA-F]{64}$|^(sha1:)?[0-9a-fA-F]{40}$'
SearchLogQuery:
type: object
properties:
entryUUIDs:
type: array
items:
type: string
minItems: 1
pattern: '^[0-9a-fA-F]{64}$'
logIndexes:
type: array
minItems: 1
items:
type: integer
minimum: 0
entries:
type: array
items:
$ref: '#/definitions/ProposedEntry'
minItems: 1
LogInfo:
type: object
properties:
rootHash:
type: string
description: The current hash value stored at the root of the merkle tree
pattern: '^[0-9a-fA-F]{64}$'
treeSize:
type: integer
description: The current number of nodes in the merkle tree
minimum: 1
signedTreeHead:
type: string
format: signedCheckpoint
description: The current signed tree head
required:
- rootHash
- treeSize
- signedTreeHead
ConsistencyProof:
type: object
properties:
rootHash:
type: string
description: The hash value stored at the root of the merkle tree at the time the proof was generated
pattern: '^[0-9a-fA-F]{64}$'
hashes:
type: array
items:
type: string
description: SHA256 hash value expressed in hexadecimal format
pattern: '^[0-9a-fA-F]{64}$'
required:
- rootHash
- hashes
InclusionProof:
type: object
properties:
logIndex:
type: integer
description: The index of the entry in the transparency log
minimum: 0
rootHash:
description: The hash value stored at the root of the merkle tree at the time the proof was generated
type: string
pattern: '^[0-9a-fA-F]{64}$'
treeSize:
type: integer
description: The size of the merkle tree at the time the inclusion proof was generated
minimum: 1
hashes:
description: A list of hashes required to compute the inclusion proof, sorted in order from leaf to root
type: array
items:
type: string
description: SHA256 hash value expressed in hexadecimal format
pattern: '^[0-9a-fA-F]{64}$'
required:
- logIndex
- rootHash
- treeSize
- hashes
Error:
type: object
properties:
code:
type: integer
message:
type: string
responses:
BadContent:
description: The content supplied to the server was invalid
schema:
$ref: "#/definitions/Error"
Conflict:
description: The request conflicts with the current state of the transparency log
schema:
$ref: "#/definitions/Error"
headers:
Location:
type: string
format: uri
NotFound:
description: The content requested could not be found
NotImplemented:
description: The content requested is not implemented
InternalServerError:
description: There was an internal error in the server while processing the request
schema:
$ref: "#/definitions/Error"