rekor
rekor copied to clipboard
Software Supply Chain Transparency Log
#### Summary The current implementation of the intoto type within Rekor does not persist the signatures from the wrapping DSSE envelope into the log entry stored by Trillian. This makes...
#### Summary This PR addresses this enhancement issue https://github.com/sigstore/rekor/issues/849, which suggested adding support for intersection and union search through the use of `and` and `or` operators. #### Release Note new:...
Signed-off-by: Asra Ali #### Summary Fixes https://github.com/sigstore/rekor/issues/877 See issue for the problem: `rekor verify` didn't work with sharding: If the requested UUID was a sharded Entry UUID (Tree ID +...
**Description** The timestamping authority is being removed as per https://github.com/sigstore/rekor/issues/812. We will replace it with an improved timestamping authority that will live in its own repository or run as a...
**Description** To better streamline releases and deployments, we need a suite of tests that we can run to validate releases and deployments. @priyawadhwa Can you outline what tests you would...
**Description** Verification of the inclusion proof relies on the log index and the tree size. Using a virtual index will likely modify the calculation of the inclusion proof, resulting in...
Bumps golang from 1.18.5 to 1.19.0. [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=golang&package-manager=docker&previous-version=1.18.5&new-version=1.19.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a...
Currently the logic for validating the signature of a log entry needs to be reconstructed at least in part by other projects that wish to rely on it, e.g.: -...
**Description** When creating a new entry in Rekor the response contains a dynamic top level key of the [merkle leaf hash](https://github.com/sigstore/rekor/blob/8961ff21f8b0308c6c49d1c9e5cfa9446168e0b7/pkg/api/entries.go#L248-L250). Working with a dynamic top level key is difficult...
Using the SHA256SUMS release artifact from https://github.com/SanCloudLtd/meta-sancloud/releases/tag/v6.1.0 as an example, I have uploaded the signature to the rekor transparency log. I feel that I should now be able to verify...