sigstore/rekor sigstore/rekor

  • Stars
    star
    838
  • Rank 53,126 (Top 2 %)
  • Language
    Go
  • License
    Apache License 2.0
  • Created about 4 years ago
  • Updated about 2 months ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
sigstore/rekor
github

sigstore

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Software Supply Chain Transparency Log

OpenSSF Scorecard

Rekor logo

Rekor

Rekรณr - Greek for โ€œRecordโ€

Rekor's goals are to provide an immutable tamper resistant ledger of metadata generated within a software projects supply chain. Rekor will enable software maintainers and build systems to record signed metadata to an immutable record. Other parties can then query said metadata to enable them to make informed decisions on trust and non-repudiation of an object's lifecycle. For more details visit the sigstore website.

The Rekor project provides a restful API based server for validation and a transparency log for storage. A CLI application is available to make and verify entries, query the transparency log for inclusion proof, integrity verification of the transparency log or retrieval of entries by either public key or artifact.

Rekor fulfils the signature transparency role of sigstore's software signing infrastructure. However, Rekor can be run on its own and is designed to be extensible to working with different manifest schemas and PKI tooling.

Official Documentation.

Public Instance

Rekor is officially Generally Available with a 1.0.0 release, and follows semver rules for API stability. This means production workloads can rely on the Rekor public instance, which has a 24/7 oncall rotation supporting it and offers a 99.5% availability SLO for the following API endpoints:

  • /api/v1/log
  • /api/v1/log/publicKey
  • /api/v1/log/proof
  • /api/v1/log/entries
  • /api/v1/log/entries/retrieve

For uptime data on the Rekor public instance, see https://status.sigstore.dev.

More details on the public instance can be found at docs.sigstore.dev.

The attestation size limit for uploads to the public instance is 100KB. If you need to upload larger files, please run your own instance of Rekor. You can find instructions for doing so in the installation documentation.

Installation

Please see the installation page for details on how to install the rekor CLI and set up / run the rekor server

Usage

For examples of uploading signatures for all the supported types to rekor, see the types documentation.

Extensibility

Custom schemas / manifests (rekor type)

Rekor allows customized manifests (which term them as types), type customization is outlined here.

API

If you're interesting in integration with Rekor, we have an OpenAPI swagger editor

Security

Should you discover any security issues, please refer to sigstore's security process

Contributions

We welcome contributions from anyone and are especially interested to hear from users of Rekor.

More Repositories

1

cosign

Code signing and transparency for containers and binaries
Go
4,135
star
2

gitsign

Keyless Git signing using Sigstore
Go
910
star
3

fulcio

Sigstore OIDC PKI
Go
609
star
4

sigstore

Common go library shared across sigstore services and clients
Go
435
star
5

sigstore-python

A Sigstore client for Python
Python
214
star
6

sigstore-rs

An experimental Rust crate for sigstore
Rust
156
star
7

sigstore-js

Code-signing for npm packages
TypeScript
149
star
8

policy-controller

Sigstore Policy Controller - an admission controller that can be used to enforce policy on a Kubernetes cluster based on verifiable supply-chain metadata from cosign
Go
120
star
9

cosign-installer

Cosign Github Action
107
star
10

model-transparency

Supply chain security for ML
Python
97
star
11

k8s-manifest-sigstore

kubectl plugin for signing Kubernetes manifest YAML files with sigstore
Go
77
star
12

root-signing

Go
77
star
13

cosign-gatekeeper-provider

๐Ÿ”ฎ โœˆ๏ธ to integrate OPA Gatekeeper's new ExternalData feature with cosign to determine whether the images are valid by verifying their signatures
Go
74
star
14

docs

Sigstore documentation
HTML
62
star
15

helm-charts

Helm charts for sigstore project
Smarty
61
star
16

helm-sigstore

Plugin for Helm to integrate the sigstore ecosystem
Go
57
star
17

scaffolding

Stuff to make standing up sigstore (esp. for testing) easier for e2e/integration testing.
HCL
55
star
18

timestamp-authority

RFC3161 Timestamp Authority
Go
53
star
19

gh-action-sigstore-python

A GitHub Action for sigstore-python
Python
44
star
20

community

General sigstore community repo
36
star
21

sigstore-go

Go library for Sigstore signing and verification
Go
34
star
22

sigstore-java

java clients for sigstore
Java
34
star
23

friends

Sigstore user stories
29
star
24

sigstore-website

Codebase for sigstore.dev
Vue
26
star
25

rekor-search-ui

Search Rekor for entries
TypeScript
23
star
26

protobuf-specs

Protocol Buffer specifications
Rust
21
star
27

rekor-monitor

Log monitor for Rekor to verify immutability and monitor entries
Go
21
star
28

sget

Go
21
star
29

rekor-operator

K8S Operator for Rekor
Go
20
star
30

sget-rs

sget is a keyless safe script retrieval and execution tool
Rust
18
star
31

sigstore-go-archived

Go library for Sigstore signing and verification
Go
16
star
32

sigstore-maven-plugin

sigstore maven plugin
Java
16
star
33

rekor-server

Cryptographic, immutable, append only software release ledger.
Go
11
star
34

rekorctl

Rekor swiss army knife
Go
9
star
35

ruby-sigstore

Rubygems sigstore signing plugin
Ruby
9
star
36

sigstore-git-verifier

A Github Action to verify that new commits are present in the sigstore transparency log.
Shell
8
star
37

TSC

sigstore Technical Steering Committee
7
star
38

sigstore-conformance

Conformance testing for Sigstore clients
Python
7
star
39

sigstore.github.io

Rekor website
Sass
7
star
40

sigstore-maven

sigstore maven plugin
Java
7
star
41

examples

Repository to store various monitors for upstream release sites
Python
6
star
42

sigstore-blog

Codebase for sigstore.dev
CSS
6
star
43

homebrew-tap

Sigstore Homebrew Tap
Ruby
5
star
44

sigstore-project-template

cookiecutter template for sigstore projects
5
star
45

sig-clients

Home of the clients SIG
5
star
46

github-sync

Pulumi GitHub Sync for sigstore
Go
4
star
47

sigstore-helm-operator

Helm based operator for the sigstore project
Smarty
4
star
48

sigstore-devops-tools

Tools & services used to help in the development flow of sigstore
Go
4
star
49

.github

Default community health files for the Sigstore organization.
4
star
50

sigstore-probers

Probers for sigstore infrastructure
Go
3
star
51

root-signing-staging

Staging TUF repository for Sigstore trust root
3
star
52

root-signing-practice

Root TUF Key Signing
Go
3
star
53

rekor-ansible

Ansible role to deploy the Rekor signature transparency log
2
star
54

sigstore-installer

1
star
55

fish-food

Lua
1
star
56

sig-public-good-operations

Home of the public good operations SIG
1
star