rekor-cli

Upload an artifact to Rekor

$ rekor-cli upload --artifact [path/to/file.ext] --signature [path/to/file.ext.sig] --pki-format=[x509] --public-key=[path/to/key.pub]

$ rekor-cli get --uuid=[0e81b4d9299e2609e45b5c453a4c0e7820ac74e02c4935a8b830d104632fd2d1]

$ rekor-cli search --artifact [path/to/file.ext]

$ rekor-cli search --sha [6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b]

rekor-cli [global options] <command> [command options] [arguments]

Common usage examples:
  rekor-cli search --artifact-hash <I>sha256-hash>
  rekor-cli upload --artifact <I>path/to/artifact> --signature <I>path/to/signature> --public-key <I>path/to/publickey>
  rekor-cli get --uuid <I>entry-uuid>

--rekor-server URL
    Specifies the Rekor server URL to interact with. If omitted, the default public Rekor instance is used.

-h, --help
    Displays help information for the command or any subcommand.

--log-level level
    Sets the logging verbosity level (e.g., debug, info, warn, error).

--artifact path
    (Used with upload, verify) Path to the software artifact (e.g., binary, container image) to be processed.

--signature path
    (Used with upload, verify) Path to the digital signature associated with the artifact.

--public-key path
    (Used with upload, verify, search) Path to the public key used for signing or to search for entries signed by a specific key.

--hash value
    (Used with search) Specifies the cryptographic hash of the artifact to search for in the log.

--email address
    (Used with search) Searches for log entries associated with a specific signer's email address.

--uuid UUID
    (Used with get, search) Specifies the unique identifier of a Rekor entry to retrieve or search for.

--type artifact-type
    (Used with upload, verify) Defines the type of artifact being uploaded or verified (e.g., dsse, oci, rpm, alpine, go.mod, jar, helm.prov).

rekor-cli is the command-line interface for Rekor, a critical component of the Sigstore project. Rekor provides an immutable, tamper-proof transparency log for software supply chain metadata. This tool enables users to record software artifacts (such as signed container images, binaries, and build materials) into the public Rekor log, making them verifiable and auditable by anyone. It supports various operations including uploading diverse artifact types, searching for entries using criteria like artifact hash, public key, or email, retrieving specific log entries by UUID, and verifying an artifact's presence and integrity in the log. rekor-cli significantly enhances software supply chain security by offering a transparent and verifiable record of artifact signing events.

rekor-cli requires network connectivity to interact with a Rekor server. The Rekor log is an append-only transparency log; entries, once added, cannot be modified or removed, ensuring immutability and auditability. Users should be aware of the specific artifact types and their associated signing mechanisms to ensure correct upload and verification workflows. Compatibility between the rekor-cli client and the Rekor server API is important for seamless operation.

The Rekor log is built on a cryptographically verifiable Merkle tree structure. This design ensures that every entry added to the log is linked to its predecessors in a way that any tampering with past entries would invalidate the entire log, making it instantly detectable. This provides strong guarantees of integrity and immutability.

rekor-cli works in concert with other Sigstore tools, most notably cosign. When cosign signs a container image or another artifact, it often automatically uploads the signature metadata and related information to Rekor. This seamless integration ensures that signing events are publicly recorded and easily auditable, fostering greater trust and transparency in software supply chains.

rekor-cli is an integral part of the open-source Sigstore project, which was launched in late 2020 by the Linux Foundation, Google, Red Hat, and other key industry players. Sigstore was created to enhance software supply chain security through cryptographic signing and verifiable transparency logs. Rekor was introduced as the project's transparency log component, providing a public, verifiable record of signing events. rekor-cli was developed concurrently as the primary command-line interface to interact with this log, evolving to support an expanding array of artifact types and verification processes within the growing Sigstore ecosystem. Its development is community-driven and continues to be actively maintained.

cosign(1), fulcio(1), sigstore(7)