1[](https://api.securityscorecards.dev/projects/github.com/sigstore/rekor)
2
3<p align="center">
4 <img style="max-width: 100%;width: 300px;" src="https://raw.githubusercontent.com/sigstore/community/main/artwork/rekor/horizontal/color/sigstore_rekor-horizontal-color.svg" alt="Rekor logo"/>
5</p>
6
7# Rekor
8
9Rekór - Greek for “Record”
10
11Rekor's goals are to provide an immutable tamper resistant ledger of metadata generated within a software projects supply chain.
12Rekor will enable software maintainers and build systems to record signed metadata to an immutable record.
13Other parties can then query said metadata to enable them to make informed decisions on trust and non-repudiation of an object's lifecycle. For more details visit the [sigstore website](https://sigstore.dev).
14
15The Rekor project provides a restful API based server for validation and a transparency log for storage.
16A CLI application is available to make and verify entries, query the transparency log for inclusion proof,
17integrity verification of the transparency log or retrieval of entries by either public key or artifact.
18
19Rekor fulfils the signature transparency role of sigstore's software signing
20infrastructure. However, Rekor can be run on its own and is designed to be
21extensible to working with different manifest schemas and PKI tooling.
22
23[Official Documentation](https://docs.sigstore.dev/rekor/overview).
24
25## Public Instance
26
27Rekor is officially Generally Available with a 1.0.0 release, and follows [semver rules](https://semver.org/) for API stability.
28This means production workloads can rely on the Rekor public instance, which has a 24/7 oncall rotation supporting it and offers a 99.5% availability SLO for the following API endpoints:
29* `/api/v1/log`
30* `/api/v1/log/publicKey`
31* `/api/v1/log/proof`
32* `/api/v1/log/entries`
33* `/api/v1/log/entries/retrieve`
34
35For uptime data on the Rekor public instance, see [https://status.sigstore.dev](https://status.sigstore.dev).
36
37More details on the public instance can be found at [docs.sigstore.dev](https://docs.sigstore.dev/rekor/public-instance).
38
39The attestation size limit for uploads to the public instance is [100KB](https://github.com/sigstore/rekor/blob/18c81d9f4def67c72f630c5406e26d5e568bc83b/cmd/rekor-server/app/root.go#L104). If you need to upload larger files, please run your own instance of Rekor. You can find instructions for doing so in the [installation](https://docs.sigstore.dev/rekor/overview#usage-and-installation) documentation.
40
41### Installation
42
43Please see the [installation](https://docs.sigstore.dev/rekor/overview#usage-and-installation) page for details on how to install the rekor CLI and set up / run
44the rekor server
45
46### Usage
47
48For examples of uploading signatures for all the supported types to rekor, see [the types documentation](types.md).
49
50## Extensibility
51
52### Custom schemas / manifests (rekor type)
53
54Rekor allows customized manifests (which term them as types), [type customization is outlined here](https://github.com/sigstore/rekor/tree/main/pkg/types).
55
56### API
57
58If you're interested in integration with Rekor, we have an [OpenAPI swagger editor](https://sigstore.dev/swagger/)
59
60## Security
61
62Should you discover any security issues, please refer to sigstore's [security process](https://github.com/sigstore/.github/blob/main/SECURITY.md)
63
64## Contributions
65
66We welcome contributions from anyone and are especially interested to hear from users of Rekor.
67
68## Additional Documentation
69
70In addition to this README file, this folder contains the additional documentation:
71
72- **oid-info.md**. Rekor OID values.
73- **types.md**. Information about how to sign and upload data in different pluggable types.
View as plain text