rekor icon indicating copy to clipboard operation
rekor copied to clipboard
verified publisher icon sigstore

Proposal: Deprecate rekor-cli

Open haydentherapper opened this issue 1 year ago • 3 comments

Description

rekor-cli provides a command line utility to upload entries to Rekor, search for entries, and verify entries. To reduce the number of tools we maintain in Sigstore, I'd like to deprecate this utility and remove it in Rekor v2. For any functionality that we think should be supported in a CLI tool, I'd rather move it to Cosign as the central Sigstore utility.

For uploading entries to Rekor, a curl command should be sufficient, especially once the number of types is reduced (https://github.com/sigstore/rekor/issues/2080).

For verifying entries, I'm not sure the use case when someone would like to verify a log entry without also verifying the artifact signature. I'd rather point users to Cosign, and again if the use case does arise, we can add the functionality to Cosign.

haydentherapper avatar Dec 06 '24 22:12 haydentherapper

@lkatalin I know RedHat recommends rekor-cli. Do you have a use case in mind where you need only log entry verification without signature verification, or could Cosign be sufficient?

haydentherapper avatar Dec 06 '24 22:12 haydentherapper

Thanks for the ping @haydentherapper , I'll reach out to our relevant teams about the requirements here.

lkatalin avatar Dec 10 '24 16:12 lkatalin

@haydentherapper I think we are probably fine with removing this with the 2.0 rekor release. I'm investigating, but at the moment I don't have any great concern. It's one less thing for us to maintain too :)

lance avatar Dec 10 '24 21:12 lance