LinuxCommandLibrary

rekor-cli

Submit and query software supply chain metadata

TLDR

Upload an artifact to Rekor

$ rekor-cli upload --artifact [path/to/file.ext] --signature [path/to/file.ext.sig] --pki-format=[x509] --public-key=[path/to/key.pub]
copy

Get information regarding entries in the Transparency Log
$ rekor-cli get --uuid=[0e81b4d9299e2609e45b5c453a4c0e7820ac74e02c4935a8b830d104632fd2d1]
copy

Search the Rekor index to find entries by Artifact
$ rekor-cli search --artifact [path/to/file.ext]
copy

Search the Rekor index to find entries by a specific hash
$ rekor-cli search --sha [6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b]
copy

SYNOPSIS

rekor-cli [command] [flags]

PARAMETERS

--help
    Show help message and exit.

--version
    Show version information and exit.

create
    Create a new entry in the Rekor log.

get
    Get an existing entry from the Rekor log.

search
    Search for entries matching specific criteria.

verify
    Verify an entry against the Rekor log.

flags specific to subcommands (e.g., --artifact, --signature, --public-key)
    Vary depending on the subcommand being used. Refer to the help output for each subcommand for details.

DESCRIPTION

The rekor-cli command is a command-line interface (CLI) tool for interacting with the Rekor transparency log. Rekor is a software supply chain security project that provides an immutable, tamper-resistant ledger for recording metadata about software artifacts.

With rekor-cli, users can submit new entries (e.g., information about code signing, build provenance, or dependency manifests) to the Rekor log, query the log for existing entries based on various criteria (e.g., artifact digest, public key, or log index), and verify the integrity of the log itself. This allows for increased transparency and traceability throughout the software supply chain, making it easier to identify and prevent malicious or compromised components.

The tool supports several operations, including creating log entries, searching for existing entries and verifying the integrity of the log.

CAVEATS

Interaction with a Rekor instance is required, so ensure the proper endpoint is set. The command may require specific permissions or configurations to interact with the Rekor server. Some features may depend on the specific version of Rekor being used.

EXAMPLES

Example rekor-cli commands:
Create an entry: rekor-cli create --artifact artifact.txt --signature artifact.sig --public-key pub.key
Get an entry by log index: rekor-cli get --log-index 12345
Search for entries: rekor-cli search --sha256 1234...

HISTORY

Rekor is part of the Sigstore project, an effort to improve the security of the open source software supply chain. The rekor-cli tool was developed alongside Rekor to provide a user-friendly interface for interacting with the log. It has seen continued development and adoption as Sigstore has gained traction within the industry.

SEE ALSO

openssl(1)

Copied to clipboard