rekor-cli
Submit and query software supply chain metadata
TLDR
Upload an artifact to Rekor
Get information regarding entries in the Transparency Log
Search the Rekor index to find entries by Artifact
Search the Rekor index to find entries by a specific hash
SYNOPSIS
rekor-cli [command] [flags]
PARAMETERS
--help
Show help message and exit.
--version
Show version information and exit.
create
Create a new entry in the Rekor log.
get
Get an existing entry from the Rekor log.
search
Search for entries matching specific criteria.
verify
Verify an entry against the Rekor log.
flags specific to subcommands (e.g., --artifact, --signature, --public-key)
Vary depending on the subcommand being used. Refer to the help output for each subcommand for details.
DESCRIPTION
The rekor-cli command is a command-line interface (CLI) tool for interacting with the Rekor transparency log. Rekor is a software supply chain security project that provides an immutable, tamper-resistant ledger for recording metadata about software artifacts.
With rekor-cli, users can submit new entries (e.g., information about code signing, build provenance, or dependency manifests) to the Rekor log, query the log for existing entries based on various criteria (e.g., artifact digest, public key, or log index), and verify the integrity of the log itself. This allows for increased transparency and traceability throughout the software supply chain, making it easier to identify and prevent malicious or compromised components.
The tool supports several operations, including creating log entries, searching for existing entries and verifying the integrity of the log.
CAVEATS
Interaction with a Rekor instance is required, so ensure the proper endpoint is set. The command may require specific permissions or configurations to interact with the Rekor server. Some features may depend on the specific version of Rekor being used.
EXAMPLES
Example rekor-cli commands:
Create an entry: rekor-cli create --artifact artifact.txt --signature artifact.sig --public-key pub.key
Get an entry by log index: rekor-cli get --log-index 12345
Search for entries: rekor-cli search --sha256 1234...
HISTORY
Rekor is part of the Sigstore project, an effort to improve the security of the open source software supply chain. The rekor-cli tool was developed alongside Rekor to provide a user-friendly interface for interacting with the log. It has seen continued development and adoption as Sigstore has gained traction within the industry.
SEE ALSO
openssl(1)