https://deploy-preview-426--docssigstore.netlify.app/logging/Recent content in Transparency Log onHugo -- gohugo.ioTue, 06 Oct 2020 08:49:15 +0000https://deploy-preview-426--docssigstore.netlify.app/logging/overview/Mon, 01 Jan 0001 00:00:00 +0000https://deploy-preview-426--docssigstore.netlify.app/logging/overview/Rekor aims to provide an immutable, tamper-resistant ledger of metadata generated within a software project’s supply chain. It enables software maintainers and build systems to record signed metadata to an immutable record. Other parties can then query this metadata, enabling them to make informed decisions on trust and non-repudiation of an object’s lifecycle. The Rekor project provides a restful API-based server for validation, and a transparency log for storage. A CLI application is available to make and verify entries, query the log for inclusion proof, integrity verification of the log or retrieval of entries (either by a public key or an artifact).https://deploy-preview-426--docssigstore.netlify.app/logging/installation/Mon, 01 Jan 0001 00:00:00 +0000https://deploy-preview-426--docssigstore.netlify.app/logging/installation/There are several ways to install both the rekor-cli and rekor-server. Using Go install # If you have Go installed, you can use Go to retrieve the rekor-cli binaries go install -v github.com/sigstore/rekor/cmd/rekor-cli@latest You may also do the same for rekor-server, but please note that the Rekor server also requires Trillian and a database. (see below for setup instructions). go install -v github.com/sigstore/rekor/cmd/rekor-server@latest From the release page # Rekor releases are available on the Release page.https://deploy-preview-426--docssigstore.netlify.app/logging/sharding/Mon, 01 Jan 0001 00:00:00 +0000https://deploy-preview-426--docssigstore.netlify.app/logging/sharding/This document covers what Rekor log sharding is and how to shard the log. What is sharding? # When Rekor is started for the first time, its backend is a transparency log built on a single Merkle Tree. This log can grow indefinitely as entries are added, which can present issues over time. To resolve some of these issues the log can be “sharded” into multiple Merkle Trees. Why do we shard the log?https://deploy-preview-426--docssigstore.netlify.app/logging/cli/Mon, 01 Jan 0001 00:00:00 +0000https://deploy-preview-426--docssigstore.netlify.app/logging/cli/The following guide is targeted towards developers / software maintainers who would like to make a provenance entry into the Rekor transparency log. The steps outlined below will show how to sign your software and use the Rekor CLI to make and verify an entry. It uses GPG to demonstrate, but other types are outlined in the Signing and Uploading Other Types page. Prerequisites # You need to have Rekor CLI installed.https://deploy-preview-426--docssigstore.netlify.app/logging/pluggable-types/Mon, 01 Jan 0001 00:00:00 +0000https://deploy-preview-426--docssigstore.netlify.app/logging/pluggable-types/Rekor supports pluggable types (aka different schemas) for entries stored in the transparency log. This will allow you to develop your own manifest type in your preferred formatting style (json|yaml|xml). Currently supported types # The list of currently supported types and their schema is maintained in the repository. Base schema # The base schema for all types is modeled off of the schema used by Kubernetes and can be found in openapi.https://deploy-preview-426--docssigstore.netlify.app/logging/sign-upload/Mon, 01 Jan 0001 00:00:00 +0000https://deploy-preview-426--docssigstore.netlify.app/logging/sign-upload/This documentation contains information on how to sign and upload data in different pluggable types. The following are covered: Minisign SSH PKIX/X509 RPM Alpine RPM TSR TUF Minisign # Create a keypair with something like: $ minisign -G Please enter a password to protect the secret key. Password: Password (one more time): Deriving a key from the password in order to encrypt the secret key... done The secret key was saved as /Users/dlorenc/.https://deploy-preview-426--docssigstore.netlify.app/logging/verify-release/Mon, 01 Jan 0001 00:00:00 +0000https://deploy-preview-426--docssigstore.netlify.app/logging/verify-release/📓 We will refine this process over time to be more streamlined with a higher consensus threshold as well as an implementation of a TUF style policy. For now this is quite a multi step process. We will also deep dive a fair amount here, as its a good opporuntity to pull the covers aside and see how this all works. Rekor releases are currently signed and verified using Fulcio OpenID Connect based on short lived signing certificates.https://deploy-preview-426--docssigstore.netlify.app/logging/event_stream/Mon, 01 Jan 0001 00:00:00 +0000https://deploy-preview-426--docssigstore.netlify.app/logging/event_stream/The public Rekor instance provides an event stream of new entries added to the transparency log using GCP Pub/Sub. This can be used to monitor the log in real-time for events you are interested in. Pub/Sub details # Important: Pub/Sub usage is not free. Please familiarize yourself with the pricing before proceeding. Tip: You can avoid paying egress network costs by placing the workload that processes events from the subscription in the same region as the topic.