rekor
rekor copied to clipboard
sigstore
Software Supply Chain Transparency Log
Refactoring trillian to be interface based which is easier to mock for testing. With the present implementation, it is impossible to test other than running a trillian server. It is...
**Description** Currently, the following error means that `checksums.txt` does not found in the current directory, which is a bit confused message to see what's going on actually: ```bash $ rekor-cli...
When verifying SignedNotes, we never check that the loaded public key matches the hash. I think the only purpose is for easy lookup and early rejection in case none of...
I am hearing more and more demand for this. folks want a way to mark nefarious / deprecated images and releases, so users can query to see if an image...
We need to a method to firm up release procedures with the view of the public good instance. We should also look to have CI tests run against the current...
This is an initial attempt at implementing support for git push certificates in rekor. Git push certificates allows the committer to sign the commits they pushed towards some remote. These...
We currently have two non FIPS compliant modules in use: ``` ./pkg/pki/ssh/sign.go: "golang.org/x/crypto/ssh" ./pkg/pki/ssh/ssh.go: "golang.org/x/crypto/ssh" ./pkg/pki/ssh/verify.go: "golang.org/x/crypto/ssh" ./pkg/pki/pgp/pgp.go: "golang.org/x/crypto/openpgp/armor" ./pkg/pki/pgp/pgp.go: "golang.org/x/crypto/openpgp/packet" ./pkg/pki/pgp/pgp.go: "golang.org/x/crypto/openpgp" ``` We should port to FIPS compliant...
Right now our API layer is tightly coupled to the storage layer. The API types directly turn into storage types, even though there is tons of validation and canonicalization first....
It might make sense for organizations that run Rekor internally to use the timestamp server but without the transparency log. We should document how to do this easily.
This is admittedly quite small, but we currently have a mix of flags that use underscores and hyphens: `rekor_server` but `public-key` or `log-index`, for instance. Is this worth fixing? I...
