Supply Chain Transparency Log
Rekor's goals are to provide an immutable tamper resistant ledger of metadata generated within a software projects supply chain. Rekor will enable software maintainers and build systems to record signed metadata to an immutable record. Other parties can then query said metadata to enable them to make informed decisions on trust and non-repudiation of an object's lifecycle. For more details visit the sigstore website
The Rekor project provides a restful API based server for validation and a transparency log for storage. A CLI application is available to make and verify entries, query the transparency log for inclusion proof, integrity verification of the transparency log or retrieval of entries by either public key or artifact.
Rekor fulfils the signature transparency role of sigstore's software signing infrastructure. However, Rekor can be run on its own and is designed to be extensible to working with different manifest schemas and PKI tooling.
- Developed at security
- Sources inherited from project openSUSE:Factory
-
1
derived packages
- Download package
-
Checkout Package
osc -A https://api.opensuse.org checkout openSUSE:Leap:16.0:FactoryCandidates/rekor && cd $_
- Create Badge
Source Files
Filename | Size | Changed |
---|---|---|
rekor-1.1.0.tar.gz | 0000868412 848 KB | |
rekor-zypper-verify.sh | 0000000941 941 Bytes | |
rekor.changes | 0000017813 17.4 KB | |
rekor.spec | 0000003014 2.94 KB | |
vendor.tar.xz | 0004239016 4.04 MB |
Revision 14 (latest revision is 22)
- updated to rekor 1.1.0 (jsc#SLE-23476): Functional Enhancements - improve validation on intoto v0.0.2 type (#1351) - add feature to limit HTTP request body length to process (#1334) - add information about the file size limit (#1313) - Add script to backfill Redis from Rekor (#1163) - Feature: add search support for sha512 (#1142) Quality Enhancements - various fuzzing fixes Bug Fixes - remove goroutine usage from SearchLogQuery (#1407) - drop log messages regarding attestation storage to debug (#1408) - fix validation for proposed vs committed log entries for intoto v0.0.1 (#1309) - fix: fix regex for multi-digit counts (#1321) - return NotFound if treesize is 0 rather than calling trillian (#1311) - enumerate slice to get sugared logs (#1312) - put a reasonable size limit on ssh key reader (#1288) - CLIENT: Fix Custom Host and Path Issue (#1306) - do not persist local state if log is empty; fail consistency proofs from 0 size (#1290) - correctly handle invalid or missing pki format (#1281) - Add Verifier to get public key/cert and identities for entry type (#1210) - fix goroutine leak in client; add insecure TLS option (#1238) - Fix - Remove the force-recreate flag (#1179) - trim whitespace around public keys before parsing (#1175) - stop inserting envelope hash for intoto:0.0.2 types into index (#1171) - Revert "remove double encoding of payload and signature fields for intoto (#1150)" (#1158) - remove double encoding of payload and signature fields for intoto (#1150) - fix SearchLogQuery behavior to conform to openapi spec (#1145) - Remove pem-certificate-chain from client (#1138) - fix flag type for operator in search (#1136) (forwarded request 1077454 from msmeissn)
Comments 0