ediverse Explorer la plateforme

À la une PEPPOL BIS Billing 3.0 L’obligation européenne d’e-invoicing arrive : France sept 2026, Belgique janv 2026, Allemagne 2025.

SIGSTORE-REKOR

Sigstore Rekor transparency log append-only Merkle.

Définition

Rekor architecture : Backend Trillian (Google open-source verifiable Merkle tree append-only log). Frontend Rekor server (Go REST API). Log entry types : hashedrekord (general digest + signature + public key), intoto (in-toto attestations), tuf (TUF metadata), rfc3161 (RFC 3161 trusted timestamp), helm (Helm chart provenance), jar (Java JAR signatures), rpm (RPM packages), cose (CBOR Object Signing and Encryption). Each entry : UUID, integrated time, log index, body (encoded), Merkle inclusion proof (consistency + inclusion). API : POST /api/v1/log/entries (append entry), GET /api/v1/log/entries/{uuid} (retrieve entry), GET /api/v1/log/proofs (Merkle proofs). Verification : cosign verify queries Rekor for signature presence + verifies Merkle inclusion proof + verifies signature against Fulcio-issued cert + cross-checks OIDC issuer + identity. Public Good Rekor log ~50M+ entries 2024. Tools : rekor-cli CLI, sigstore-go library, integration cosign default.

Origine

Rekor initial release 2021 ; Public Good Rekor Production Linux Foundation 2021 ; backed Trillian Google open-source ; ~50M+ entries 2024 ; private instances Red Hat, Google Cloud, etc.

Exemple en contexte

Apres incident supply chain attack hypothetique : SOC team audit Rekor log via API GET /api/v1/log/entries with filter sha256 of compromised image, verifie chronologically signing entries, detect anomaly unauthorized signing identity not matching expected GitHub Actions identity, trace incident origin via Merkle proofs cryptographic guarantees.

Termes liés

Dernière mise à jour: 16 mai 2026