rekor
rekor copied to clipboard
sigstore
Software Supply Chain Transparency Log
In order for us to get some better insight during adoption phases, we could have a debug flag `REKOK_DMP=1` which dumps the artefact URL to a file or if its...
This would ease integration with Java and other tooling that expects timestamps in this format. We could expose two APIs: - A normal RFC3161 variant, where users send us a...
We could consider using the JWKS format for the rekor public keys, which would be useful if we want to send multiple keys to a user. This could be nice...
**Description** It would be great to have some tooling to automatically rebuild the redis index in case it gets behind the log or we drop entries. Right now we index...
Related client side issue: https://github.com/sigstore/sigstore/issues/16
**Description** This is for getting bundling (https://github.com/sigstore/cosign/issues/181) working. When cosign uploads the {signature, public key, payload} to rekor, we need rekor to provide proof that the entry is in the...
cc @puiterwijk This would look like an entry in Rekor that includes a digest of a file that will be signed, and the public key that will be used to...
Reasons for doing so: 1. In order to prevent a single point of organizational failure some form of federated services would be useful. 1. Allows for network sharding to deal...
cc @puiterwijk This could include things like - RPMs which bundle signatures into a special header - Maven artifacts - The Windows PE file format - ELF xattrs
I poked around a bit and it appears we have two main options for metrics: Prometheus and OpenCensus. Trillian appears to support both as well: https://github.com/google/trillian/blob/master/monitoring/prometheus/metrics.go Here's what I'm hoping...