Rekor on

An Introduction to Rekor

Sat, 20 Aug 2022 08:49:31 +0000

An earlier version of this material was published in the Rekor chapter of the Linux Foundation Sigstore course.

Rekor stores records of artifact metadata, providing transparency for signatures and therefore helping the open source software community monitor and detect any tampering of the software supply chain. On a technical level, it is an append-only (sometimes called “immutable”) data log that stores signed metadata about a software artifact, allowing software consumers to verify that a software artifact is what it claims to be. You could think of Rekor as a bulletin board where anyone can post and the posts cannot be removed, but it’s up to the viewer to make informed judgements about what to believe.

How to Install the Rekor CLI

Sat, 20 Aug 2022 08:49:31 +0000

An earlier version of this material was published in the Rekor chapter of the Linux Foundation Sigstore course.

Follow this tutorial for an overview of how to install rekor-cli.

To install the Rekor command line interface (rekor-cli) with Go, you will need Go version 1.16 or greater. For Go installation instructions, see the official Go documentation. If you have Go installed already, you can check your Go version via this command.

go version

If Go is installed, you’ll receive output similar to the following.

How to Query Rekor

Sat, 20 Aug 2022 08:49:31 +0000

An earlier version of this material was published in the Rekor chapter of the Linux Foundation Sigstore course.

Rekor is the transparency log of Sigstore, which stores records of artifact metadata. Before querying Rekor, you should have the rekor-cli installed, which you can achieve by following the “How to Install the Rekor CLI” tutorial.

In order to access the data stored in Rekor, the rekor-cli requires either the log index of an entry or the UUID of a software artifact.

How to Sign and Upload Metadata to Rekor

Sat, 20 Aug 2022 08:49:31 +0000

An earlier version of this material was published in the Rekor chapter of the Linux Foundation Sigstore course.

This tutorial will walk you through signing and uploading metadata to the Rekor transparency log, which is a project of Sigstore. In order to follow along, you’ll need the rekor-cli installed, which you can accomplish by following the “How to Install the Rekor CLI” tutorial.

We will use SSH to sign a text document. SSH is often used to communicate securely over an unsecured network and can also be used to generate public and private keys appropriate for signing an artifact.

How to Set Up An Instance of Rekor Instance Locally

Sat, 20 Aug 2022 08:49:31 +0000

An earlier version of this material was published in the Rekor chapter of the Linux Foundation Sigstore course.

While individual developers may not generally need to set up their own instance of Rekor, it may be worthwhile to set up your own local instance in order to further understand how Rekor works under the hood. We will have multiple terminal sessions running to set up the Rekor server. You may want to use a tool such as tmux to keep terminal sessions running in the background within the same window.