Rekor
Software Supply Chain Transparency Log
| Category | Supply Chain Security |
|---|---|
| Community Stars | 917 |
| Last Commit | last week |
| Last page update | 19 days ago |
| Pricing Details | Free and open-source under Apache License 2.0 |
| Target Audience | Developers and organizations focused on software supply chain security. |
The Rekor log monitor and the Rekor system itself address a critical security and operational challenge in the software supply chain: ensuring the integrity and immutability of metadata records. Here’s a technical breakdown of how it works:
Rekor is designed as a cryptographically secure, immutable transparency log for signed software releases. It uses a RESTful API-based server for validation and a transparency log for storage. The system records signed metadata, allowing other parties to query this metadata to verify the trust and non-repudiation of an object's lifecycle.
The Rekor log monitor specifically verifies the consistency and immutability of the log entries. It runs periodically, recommended every hour, to ensure that the log remains tamper-evident and append-only. This is achieved through a GitHub Actions workflow that utilizes a reusable monitoring workflow.
The log monitor should not be run concurrently with other log monitoring jobs in the same repository to avoid conflicts. Additionally, the artifact_retention_days must be longer than the cron job frequency to ensure proper operation. The monitor starts from the latest checkpoint, and for historical searches, you need to query the log directly.
Rekor supports various types of signatures, including IEEE P1363 encoded ECDSA and ed25519ph user keys. It also integrates with multiple key management systems (KMS) such as AWS, GCP, and HashiVault. The system uses a CLI application for making and verifying entries, querying the transparency log, and retrieving entries by public key or artifact.
The identities to be monitored can be specified using regular expressions, particularly matching certificate Subject Alternative Name (SAN) fields. Fingerprint values are calculated using SHA-256 digests for keys and certificates, and specific formats for SSH and PGP keys.
In terms of performance and scalability, Rekor's architecture emphasizes real-time monitoring, but it may face challenges with query performance at scale, particularly in multi-account setups or when dealing with large volumes of data. The system is continuously updated with new features and bug fixes, such as improved index storage backends and enhanced validation mechanisms.