rekor
rekor copied to clipboard
sigstore
Software Supply Chain Transparency Log
**Description** In https://github.com/sigstore/rekor/issues/988, we added signed checkpoints (signatures over the root hash) to upload and verification responses where an inclusion proof is returned. However, these checkpoints are not persisted, so...
**Description** Rekor will now return Entry UUIDs in all entry points: https://github.com/sigstore/rekor/pull/1012 Currently, we handle both full Entry UUIDs of 80 chars and the 64 character UUID leaf hash. At...
I propose removing the periodic process "watch" that records tree heads. Recording old tree heads does not aid in the calculation of consistency proofs, since those are calculated by clients...
Add terraform configuration and scripts to set up rekor standalone on GCP, perform a series of insert and search operations, use Prometheus to gather metrics, and plot the results with...
#### Summary Add `--client-signing-algorithms` flag to rekor-server to restrict the set of client keys accepted by a Rekor instance. See #1724 . This work depends on https://github.com/sigstore/sigstore/pull/1601 #### Release Note...
In order to verify `signedEntryTimestamp`, one needs to follow instructions that I could only find [here in this yaml](https://github.com/sigstore/rekor/blob/4fcdcaa58fd5263560a82978d781eb64f5c5f93c/openapi.yaml#L467-L471). That's also the only specification I could find as to what's...
**Description** _I've filed similar issues under Cosign and Fulcio. I realise there's a lot of overlap in maintainers, but wanted to make sure that we discuss each project that we...
**Description** Support for uploading a certificate chain, not just a leaf certificate, was added awhile ago (https://github.com/sigstore/rekor/pull/747). I don't recall if there was a specific motivation at the time, but...
There was a previous issue opened (#1573 ) asking about a manual Rekor upload of an artifact signed with a cosign public key. However, the proposed solution (using the `--pki-format...
**Description** Trying to deploy Rekor and Fulcio using gcr images. image: gcr.io/projectsigstore/rekor-server -- unknown flag --redis_server.password etc, etc, - setting things up with those two compose files is becoming... interesting....
