SIGSTORE-REKOR
Sigstore Rekor transparency log append-only Merkle.
Definition
Rekor architecture: Backend Trillian (Google open-source verifiable Merkle tree append-only log). Frontend Rekor server (Go REST API). Log entry types: hashedrekord (general digest + signature + public key), intoto (in-toto attestations), tuf (TUF metadata), rfc3161 (RFC 3161 trusted timestamp), helm (Helm chart provenance), jar (Java JAR signatures), rpm (RPM packages), cose (CBOR Object Signing and Encryption). Each entry: UUID, integrated time, log index, body (encoded), Merkle inclusion proof (consistency + inclusion). API: POST /api/v1/log/entries (append entry), GET /api/v1/log/entries/{uuid} (retrieve entry), GET /api/v1/log/proofs (Merkle proofs). Verification: cosign verify queries Rekor for signature presence + verifies Merkle inclusion proof + verifies signature against Fulcio-issued cert + cross-checks OIDC issuer + identity. Public Good Rekor log ~50M+ entries 2024. Tools: rekor-cli CLI, sigstore-go library, integration cosign default.
Origin
Rekor initial release 2021 ; Public Good Rekor Production Linux Foundation 2021 ; backed Trillian Google open-source ; ~50M+ entries 2024 ; private instances Red Hat, Google Cloud, etc.
Example in context
After hypothetical supply chain attack incident: SOC team audits Rekor log via API GET /api/v1/log/entries with filter sha256 of compromised image, verifies chronologically signing entries, detects anomaly unauthorized signing identity not matching expected GitHub Actions identity, traces incident origin via Merkle proofs cryptographic guarantees.
Related terms
- Sigstore Fulcio — CA companion.