Sigstore Transparency Logs

Jan 1, 0001

Definition

Sigstore Transparency Logs are append-only, tamper-evident logs used to record and verify the authenticity of software artifacts and their signatures. These logs provide a public, auditable record of all signed artifacts, allowing users to verify that an artifact has not been altered since it was signed. This transparency helps ensure the integrity of the software supply chain by enabling anyone to audit and verify the provenance of software components.

Secure Settings Example

# Example configuration for a Sigstore client using a transparency log
transparency_log:
  url: "https://rekor.sigstore.dev"
  verify: true
  log_public_key: "/path/to/public_key.pem"

Insecure Settings Example

# Example of an insecure Sigstore client configuration
transparency_log:
  url: "https://rekor.sigstore.dev"
  verify: false  # Disabling verification undermines the integrity check
  log_public_key: ""  # Missing public key for verification

Sigstore Transparency Logs

Definition

Secure Settings Example

Insecure Settings Example

Ask AppSec: free security newsletter

Ask AppSec: free security newsletter