• Stars
    star
    864
  • Rank 52,774 (Top 2 %)
  • Language
    Go
  • License
    Apache License 2.0
  • Created over 4 years ago
  • Updated 3 months ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Software Supply Chain Transparency Log

OpenSSF Scorecard

Rekor logo

Rekor

Rekór - Greek for “Record”

Rekor's goals are to provide an immutable tamper resistant ledger of metadata generated within a software projects supply chain. Rekor will enable software maintainers and build systems to record signed metadata to an immutable record. Other parties can then query said metadata to enable them to make informed decisions on trust and non-repudiation of an object's lifecycle. For more details visit the sigstore website.

The Rekor project provides a restful API based server for validation and a transparency log for storage. A CLI application is available to make and verify entries, query the transparency log for inclusion proof, integrity verification of the transparency log or retrieval of entries by either public key or artifact.

Rekor fulfils the signature transparency role of sigstore's software signing infrastructure. However, Rekor can be run on its own and is designed to be extensible to working with different manifest schemas and PKI tooling.

Official Documentation.

Public Instance

Rekor is officially Generally Available with a 1.0.0 release, and follows semver rules for API stability. This means production workloads can rely on the Rekor public instance, which has a 24/7 oncall rotation supporting it and offers a 99.5% availability SLO for the following API endpoints:

  • /api/v1/log
  • /api/v1/log/publicKey
  • /api/v1/log/proof
  • /api/v1/log/entries
  • /api/v1/log/entries/retrieve

For uptime data on the Rekor public instance, see https://status.sigstore.dev.

More details on the public instance can be found at docs.sigstore.dev.

The attestation size limit for uploads to the public instance is 100KB. If you need to upload larger files, please run your own instance of Rekor. You can find instructions for doing so in the installation documentation.

Installation

Please see the installation page for details on how to install the rekor CLI and set up / run the rekor server

Usage

For examples of uploading signatures for all the supported types to rekor, see the types documentation.

Extensibility

Custom schemas / manifests (rekor type)

Rekor allows customized manifests (which term them as types), type customization is outlined here.

API

If you're interesting in integration with Rekor, we have an OpenAPI swagger editor

Security

Should you discover any security issues, please refer to sigstore's security process

Contributions

We welcome contributions from anyone and are especially interested to hear from users of Rekor.

More Repositories

1

cosign

Code signing and transparency for containers and binaries
Go
4,300
star
2

gitsign

Keyless Git signing using Sigstore
Go
938
star
3

fulcio

Sigstore OIDC PKI
Go
629
star
4

sigstore

Common go library shared across sigstore services and clients
Go
441
star
5

sigstore-python

A Sigstore client written in Python
Python
227
star
6

sigstore-rs

An experimental Rust crate for sigstore
Rust
162
star
7

sigstore-js

Code-signing for npm packages
TypeScript
156
star
8

policy-controller

Sigstore Policy Controller - an admission controller that can be used to enforce policy on a Kubernetes cluster based on verifiable supply-chain metadata from cosign
Go
123
star
9

cosign-installer

Cosign Github Action
114
star
10

model-transparency

Supply chain security for ML
Python
105
star
11

root-signing

TUF repository for Sigstore trust root
Go
81
star
12

k8s-manifest-sigstore

kubectl plugin for signing Kubernetes manifest YAML files with sigstore
Go
78
star
13

cosign-gatekeeper-provider

🔮 ✈️ to integrate OPA Gatekeeper's new ExternalData feature with cosign to determine whether the images are valid by verifying their signatures
Go
76
star
14

docs

Sigstore documentation
HTML
73
star
15

helm-charts

Helm charts for sigstore project
Smarty
62
star
16

helm-sigstore

Plugin for Helm to integrate the sigstore ecosystem
Go
59
star
17

timestamp-authority

RFC3161 Timestamp Authority
Go
58
star
18

scaffolding

Stuff to make standing up sigstore (esp. for testing) easier for e2e/integration testing.
HCL
57
star
19

gh-action-sigstore-python

A GitHub Action for sigstore-python
Python
46
star
20

sigstore-go

Go library for Sigstore signing and verification
Go
39
star
21

community

General sigstore community repo
38
star
22

sigstore-java

java clients for sigstore
Java
37
star
23

friends

Sigstore user stories
29
star
24

sigstore-website

Codebase for sigstore.dev
Vue
27
star
25

rekor-search-ui

Search Rekor for entries
TypeScript
26
star
26

rekor-monitor

Log monitor for Rekor to verify immutability and monitor entries
Go
24
star
27

protobuf-specs

Protocol Buffer specifications
Rust
22
star
28

sget

Go
21
star
29

rekor-operator

K8S Operator for Rekor
Go
20
star
30

sigstore-maven-plugin

sigstore maven plugin
Java
18
star
31

sget-rs

sget is a keyless safe script retrieval and execution tool
Rust
18
star
32

sigstore-go-archived

Go library for Sigstore signing and verification
Go
16
star
33

rekor-server

Cryptographic, immutable, append only software release ledger.
Go
11
star
34

rekorctl

Rekor swiss army knife
Go
9
star
35

ruby-sigstore

Rubygems sigstore signing plugin
Ruby
9
star
36

sigstore-git-verifier

A Github Action to verify that new commits are present in the sigstore transparency log.
Shell
8
star
37

sigstore-maven

sigstore maven plugin
Java
8
star
38

TSC

sigstore Technical Steering Committee
7
star
39

sigstore-conformance

Conformance testing for Sigstore clients
Python
7
star
40

sigstore.github.io

Rekor website
Sass
7
star
41

homebrew-tap

Sigstore Homebrew Tap
Ruby
6
star
42

examples

Repository to store various monitors for upstream release sites
Python
6
star
43

sigstore-blog

Codebase for sigstore.dev
CSS
6
star
44

sigstore-project-template

cookiecutter template for sigstore projects
5
star
45

github-sync

Pulumi GitHub Sync for sigstore
Go
5
star
46

sig-clients

Home of the clients SIG
5
star
47

sigstore-helm-operator

Helm based operator for the sigstore project
Smarty
4
star
48

sigstore-probers

Probers for sigstore infrastructure
Go
4
star
49

.github

Default community health files for the Sigstore organization.
4
star
50

sigstore-devops-tools

Tools & services used to help in the development flow of sigstore
Go
4
star
51

sigstore-ruby

Pure-ruby implementation of sigstore verification
Ruby
4
star
52

root-signing-staging

Staging TUF repository for Sigstore trust root
3
star
53

root-signing-practice

Root TUF Key Signing
Go
3
star
54

rekor-ansible

Ansible role to deploy the Rekor signature transparency log
2
star
55

sigstore-installer

1
star
56

fish-food

Lua
1
star
57

sig-public-good-operations

Home of the public good operations SIG
1
star