Rekor CLI

Definition

Rekor CLI is a command-line interface tool used to interact with the Rekor transparency log, which is part of the Sigstore project. Rekor provides a tamper-proof, append-only ledger for storing metadata about software artifacts, such as signatures and checksums, to enhance supply chain security. The CLI allows users to submit, verify, and search for entries in the Rekor log, facilitating transparency and trust in software provenance.

Secure Settings Example

rekor-cli upload --artifact myartifact.tar.gz --signature myartifact.sig --public-key mypublickey.pem --rekor-server https://rekor.sigstore.dev

This command securely uploads an artifact along with its signature and public key to the official Rekor server, ensuring that the artifact’s integrity and authenticity can be verified by others.

Insecure Settings Example

rekor-cli upload --artifact myartifact.tar.gz --rekor-server http://insecure-rekor-server.local

This command uploads an artifact to a non-secure, local Rekor server using HTTP, which could expose the data to interception or tampering during transmission.