Skip to content
Snippets Groups Projects
Select Git revision
  • evidentia default
  • wip
  • main protected
  • v0.9.1
  • v0.9.0
  • v0.8.2
  • v0.8.1
  • v0.8.0
  • v0.7.0
  • v0.6.0
  • v0.5.0
  • v0.4.0
  • v0.3.0
  • v0.2.0
  • v0.1.1
  • v0.1.0
16 results
Compare
user avatar
Fix a bug in minisign canonicalization. (#562)
dlorenc authored 
We were previously stripping off the keyid/algorithm identifiers in minisign public keys.
These should be included in here to properly canonicalize/reconstruct the keys for verification.

Signed-off-by: default avatarDan Lorenc <lorenc.d@gmail.com>
47486c21
History
user avatar 47486c21
History
Name Last commit Last update
.github
cmd
config
hack/tools
pkg
release
scripts
tests
.gitattributes
.gitignore
.golangci.yml
.goreleaser.yml
.ko.yaml
CHANGELOG.md
CODEOWNERS
CODE_OF_CONDUCT.md
CONTRIBUTORS.md
COPYRIGHT.txt
Dockerfile
LICENSE
MAINTAINERS.md
Makefile
OWNERS.md
README.md
docker-compose.debug.yml
docker-compose.yml
go.mod
go.sum
openapi.yaml
rekor-server.yaml
types.md
README.md

Rekor

Rekór - Greek for “Record”

Rekor's goals are to provide an immutable tamper resistant ledger of metadata generated within a software projects supply chain. Rekor will enable software maintainers and build systems to record signed metadata to an immutable record. Other parties can then query said metadata to enable them to make informed decisions on trust and non-repudiation of an object's lifecycle. For more details visit the sigstore website

The Rekor project provides a restful API based server for validation and a transparency log for storage. A CLI application is available to make and verify entries, query the transparency log for inclusion proof, integrity verification of the transparency log or retrieval of entries by either public key or artifact.

Rekor fulfils the signature transparency role of sigstore's software signing infrastructure. However, Rekor can be run on its own and is designed to be extensible to working with different manifest schemas and PKI tooling.

Official Documentation.

Public Instance

IMPORTANT: This instance is currently operated on a best-effort basis.
We will take the log down and reset it with zero notice. We will improve the stability and publish SLOs over time.

More details on the public instance can be found at docs.sigstore.dev.

Installation

Please see the installation page for details on how to install the rekor CLI and set up / run the rekor server

Usage

For examples of uploading signatures for all the supported types to rekor, see the types documentation.

Extensibility

Custom schemas / manifests (rekor type)

Rekor allows customized manifests (which term them as types), type customization is outlined here.

API

If you're interesting in integration with Rekor, we have an OpenAPI swagger editor

Security

Should you discover any security issues, please refer to sigstores security process

Contributions

We welcome contributions from anyone and are especially interested to hear from users of Rekor.