### Start Rekor v2 Instance with Docker Compose Source: https://github.com/sigstore/rekor-tiles/blob/main/tests/loadtest/README.md This command starts a local instance of Rekor v2 using Docker Compose. It waits for services to be ready and builds the necessary images. Ensure you are in the root directory of the repository. ```bash docker compose up --wait --build ``` -------------------------------- ### Start Docker Containers for POSIX Binary Source: https://github.com/sigstore/rekor-tiles/blob/main/tests/README.md Starts the Docker containers required for end-to-end testing of the POSIX binary. This command builds the images, starts the containers in detached mode, and waits for them to become ready using a specific compose file. ```sh docker compose -f posix-compose.yml up -d --build --wait --wait-timeout 60 ``` -------------------------------- ### Start Docker Containers for GCP Binary Source: https://github.com/sigstore/rekor-tiles/blob/main/tests/README.md Starts the Docker containers required for end-to-end testing of the GCP binary. This command builds the images, starts the containers in detached mode, and waits for them to become ready. ```sh docker compose -f compose.yml up -d --build --wait --wait-timeout 60 ``` -------------------------------- ### Docker Deployment: Run Local Rekor v2 Instance Source: https://context7.com/sigstore/rekor-tiles/llms.txt Provides instructions to deploy a local Rekor v2 instance using Docker Compose. This setup includes emulated GCP services for Spanner and GCS, allowing for local testing and development of Rekor-dependent applications. The commands cover starting, accessing, and stopping the services. ```bash # Clone repository git clone https://github.com/sigstore/rekor-tiles.git cd rekor-tiles # Start services (includes emulated Spanner and GCS) docker compose up --build --wait # Services available: # - HTTP API: http://localhost:3003 # - gRPC API: localhost:3001 # - Tile storage: http://localhost:7080/tiles (GCP) or http://localhost:8000 (POSIX) # Stop services docker compose down # Stop and remove persisted data docker compose down --volumes ``` -------------------------------- ### Start Rekor v2 Local Development Service Source: https://github.com/sigstore/rekor-tiles/blob/main/README.md Command to start the Rekor v2 service along with emulated Google Cloud Storage and Spanner instances for local development. This command builds the necessary Docker images and waits for the services to become available. ```bash docker compose up --build --wait ``` -------------------------------- ### Setup and Artifact Creation with Bash Source: https://github.com/sigstore/rekor-tiles/blob/main/CLIENTS.md This snippet demonstrates how to clone the Rekor service, spin it up using Docker Compose, and generate a signed artifact. It includes steps for creating private and public keys, generating random artifact data, signing the artifact, and verifying the signature. ```bash git clone https://github.com/sigstore/rekor-tiles.git cd rekor-tiles docker compose up --build --wait openssl ecparam -genkey -name prime256v1 > ec_private.pem && openssl ec -in ec_private.pem -pubout > ec_public.pem head -c 128 < /dev/urandom > artifact openssl dgst -sha256 -sign ec_private.pem artifact > artifact.sig openssl dgst -sha256 -verify ec_public.pem -signature artifact.sig artifact # Should return Verified OK cat artifact | openssl dgst -binary -sha256 > artifact_dgst ``` -------------------------------- ### SigningConfig JSON Example for Rekor Clients Source: https://github.com/sigstore/rekor-tiles/blob/main/CLIENTS.md An example of the SigningConfig JSON message, illustrating the structure for specifying URLs and configurations for Fulcio, OIDC, Rekor, and Timestamp Authority services. This configuration includes details on API versions, validity windows, and service selection strategies. ```json { "mediaType": "application/vnd.dev.sigstore.signingconfig.v0.2+json", "caUrls": [ { "url": "https://fulcio.sigstore.dev", "majorApiVersion": 1, "validFor": { "start": "", "end": "" }, "operator": "sigstore.dev" } ], "oidcUrls": [ { "url": "https://oauth2.sigstore.dev/auth", "majorApiVersion": 1, "validFor": { "start": "" }, "operator": "sigstore.dev" } ], "rekorTlogUrls": [ { "url": "https://log2025-01.rekor.sigstore.dev", "majorApiVersion": 2, "validFor": { "start": "" }, "operator": "sigstore.dev" }, { "url": "https://rekor.sigstore.dev", "majorApiVersion": 1, "validFor": { "start": "" }, "operator": "sigstore.dev" } ], "rekorTlogConfig": { "selector": "EXACT", "count": 2 }, "tsaUrls": [ { "url": "https://oauth2.sigstore.dev/auth", "majorApiVersion": 1, "validFor": { "start": "" }, "operator": "sigstore.dev" } ], "tsaConfig": { "selector": "ANY" } } ``` -------------------------------- ### Setting up and Querying Rekor v2 via gRPC Source: https://github.com/sigstore/rekor-tiles/blob/main/CLIENTS.md This section outlines how to interact with Rekor v2 using gRPC. It includes installing the `grpcurl` tool, listing available gRPC methods on the server, and making a `CreateEntry` call with a payload similar to the HTTP POST request. ```bash brew install grpcurl grpcurl -plaintext localhost:3001 list dev.sigstore.rekor.v2.Rekor grpcurl -d "{ \"hashed_rekord_request_v002\":{ \"digest\":\"$(cat artifact_dgst|base64)\", \"signature\":{ \"content\": \"$(cat artifact.sig | base64)\", \"verifier\": { \"key_details\": \"PKIX_ECDSA_P256_SHA_256\", \"public_key\": { \"raw_bytes\": \"$(openssl base64 -d -in ec_public.pem | base64)\" } } } } }" -plaintext localhost:3001 dev.sigstore.rekor.v2.Rekor.CreateEntry > rekor_response cat rekor_response | jq . ``` -------------------------------- ### Rekor Certificate Verifier Example Source: https://context7.com/sigstore/rekor-tiles/llms.txt This JSON example demonstrates how to configure a certificate verifier for Rekor. It includes a hashed Rekord request with a digest, signature, and verifier details, specifying the key type for verification. This structure is used when submitting or verifying artifact signatures. ```json { "hashedRekordRequestV002": { "digest": "", "signature": { "content": "", "verifier": { "x509Certificate": { "rawBytes": "" }, "keyDetails": "PKIX_ECDSA_P256_SHA_256" } } } } ``` -------------------------------- ### Create Entry via gRPC API Source: https://context7.com/sigstore/rekor-tiles/llms.txt This snippet outlines the process of creating a log entry using Rekor v2's gRPC API. It requires installing the `grpcurl` tool for interacting with the gRPC service. The Rekor service provides methods like `CreateEntry`, `GetTile`, `GetEntryBundle`, and `GetCheckpoint`. ```bash # Install grpcurl brew install grpcurl ``` -------------------------------- ### REST API: Get Tile Source: https://context7.com/sigstore/rekor-tiles/llms.txt Retrieves a Merkle tree tile at a specified level and index. Tiles contain 256 hashes and are used to compute inclusion and consistency proofs for log entries. ```APIDOC ## GET /api/v2/tile/{L}/x{NNN}/x{NNN}/{NNN}.p/{W} ### Description Retrieves a Merkle tree tile at a specified level and index. Tiles contain 256 hashes and are used to compute inclusion and consistency proofs for log entries. ### Method GET ### Endpoint /api/v2/tile/{L}/x{NNN}/x{NNN}/{NNN}.p/{W} ### Parameters #### Path Parameters - **L** (integer) - Required - The level of the tile. - **NNN** (string) - Required - The index of the tile (zero-padded hexadecimal). - **NNN.p** (string) - Optional - Indicates a partial tile. - **W** (integer) - Optional - The witness ID for consistency proofs. ### Request Example ```bash # Get full tile at level 0, index 0 curl http://localhost:3003/api/v2/tile/0/x000/000 # Get partial tile (last tile with fewer than 256 entries) curl http://localhost:3003/api/v2/tile/0/x000/001.p/42 ``` ### Response #### Success Response (200) - **Tile Data** (binary/json) - The requested Merkle tree tile data. The format depends on whether it's a full or partial tile. ``` -------------------------------- ### REST API: Get Entry Bundle Source: https://context7.com/sigstore/rekor-tiles/llms.txt Retrieves a bundle of log entries at the specified index. Entry bundles contain the raw canonicalized entries that can be parsed to extract signature and artifact information. ```APIDOC ## GET /api/v2/tile/entries/x{NNN}/x{NNN}/{NNN}.p/{W} ### Description Retrieves a bundle of log entries at the specified index. Entry bundles contain the raw canonicalized entries that can be parsed to extract signature and artifact information. ### Method GET ### Endpoint /api/v2/tile/entries/x{NNN}/x{NNN}/{NNN}.p/{W} ### Parameters #### Path Parameters - **NNN** (string) - Required - The index of the entry bundle (zero-padded hexadecimal). - **NNN.p** (string) - Optional - Indicates a partial entry bundle. - **W** (integer) - Optional - The witness ID for consistency proofs. ### Request Example ```bash # Get entry bundle at index 0 curl http://localhost:3003/api/v2/tile/entries/x000/000 # Get partial entry bundle curl http://localhost:3003/api/v2/tile/entries/x000/001.p/42 ``` ### Response #### Success Response (200) - **Entry Bundle** (string) - A newline-delimited JSON string containing the raw canonicalized log entries. ``` -------------------------------- ### Get Entry Bundle via REST API Source: https://context7.com/sigstore/rekor-tiles/llms.txt This snippet illustrates how to retrieve bundles of log entries from Rekor v2 via the REST API. Entry bundles contain the raw canonicalized entries, which can be parsed to extract signature and artifact details. It shows how to fetch full and partial bundles. ```bash # Get entry bundle at index 0 curl http://localhost:3003/api/v2/tile/entries/x000/000 # Get partial entry bundle curl http://localhost:3003/api/v2/tile/entries/x000/001.p/42 # Parse entries from bundle (entries are newline-delimited JSON) ``` -------------------------------- ### Rekor v2 Signing Config Entry Source: https://github.com/sigstore/rekor-tiles/blob/main/README.md Example of a Rekor v2 instance configuration to be added to a signing config. This JSON object specifies the URL, API version, validity period, and operator for a Rekor v2 log shard. It is intended to be used as a base for constructing custom signing configurations. ```json { "url": "https://log2025-1.rekor.sigstore.dev", "majorApiVersion": 2, "validFor": { "start": "2025-10-06T00:00:00Z" }, "operator": "sigstore.dev" } ``` -------------------------------- ### Create Encrypted Tink Keyset with Go Source: https://github.com/sigstore/rekor-tiles/blob/main/SHARDING.md This Go command uses the create-tink-keyset tool to generate an encrypted Tink keyset for signing checkpoints. It requires specifying the log origin, key template, output file for the encrypted keyset, the KMS URI for key encryption, and output files for the public key and key ID. ```Go go run ./cmd/create-tink-keyset \ --origin \ --key-template ED25519 \ --out enc-keyset.cfg \ --key-encryption-key-uri gcp-kms://projects//locations//keyRings//cryptoKeys/checkpoint-signer-key-encryption-key \ --public-key-out public.b64 \ --key-id-out keyid.b64 ``` ```Go go run ./cmd/create-tink-keyset \ --origin log2026-1.rekor.sigstore.dev \ --key-template ED25519 \ --out enc-keyset.cfg \ --key-encryption-key-uri gcp-kms://projects/projectsigstore-staging/locations/global/keyRings/log2026-1-rekor-tiles-keyring/cryptoKeys/checkpoint-signer-key-encryption-key \ --public-key-out public.b64 \ --key-id-out keyid.b64 ``` -------------------------------- ### Get Container Image Digest Source: https://github.com/sigstore/rekor-tiles/blob/main/RELEASE.md This command retrieves the digest of a specific container image tag from a container registry. This digest is crucial for ensuring the immutability of the deployed image in the Helm chart. ```shell crane digest ghcr.io/sigstore/rekor-tiles:v1.2.3 # Specify version ``` -------------------------------- ### Rekor v2 API Request Bodies (JSON) Source: https://github.com/sigstore/rekor-tiles/blob/main/CLIENTS.md Examples of JSON request bodies for submitting entries to the Rekor v2 API. Supports Fulcio certificates, self-managed keys, and DSSE attestations. ```json { "hashedRekordRequestV002": { "digest": "", "signature": { "content": "", "verifier": { "x509Certificate": { "rawBytes": "" }, "keyDetails": "PKIX_ECDSA_P256_SHA_256" } } } } ``` ```json { "hashedRekordRequestV002": { "digest": "", "signature": { "content": "", "verifier": { "publicKey": { "rawBytes": "" }, "keyDetails": "PKIX_ECDSA_P256_SHA_256" } } } } ``` ```json { "dsseRequestV002": { "envelope": { "payload": "", "payloadType": "", "signatures": [ { "sig": "", "keyid": "" } ] }, "verifier": { "x509Certificate": { "rawBytes": "" }, "keyDetails": "PKIX_ECDSA_P256_SHA_256" } } } ``` ```json { "dsseRequestV002": { "envelope": { "payload": "", "payloadType": "", "signatures": [ { "sig": "", "keyid": "" } ] }, "verifier": { "publicKey": { "rawBytes": "" }, "keyDetails": "PKIX_ECDSA_P256_SHA_256" } } } ``` -------------------------------- ### Rekor v2 Canonicalized Body Formats (JSON) Source: https://github.com/sigstore/rekor-tiles/blob/main/CLIENTS.md Examples of the canonicalized body formats for HashedRekord and DSSE entries stored in Rekor v2. Clients must use 'kind' and 'apiVersion' to parse the 'spec'. ```json { "apiVersion": "0.0.2", "kind": "hashedrekord", "spec": { "hashedRekordV002": { "data": { "algorithm": "", "digest": "" }, "signature": { "content": "" } } } } } } ``` ```json { "apiVersion": "0.0.2", "kind": "dsse", "spec": { "dsseV002": { "data": { "algorithm": "SHA2_256", "digest": "" }, "signatures": [ { "content": "" } } } ] } } } ``` -------------------------------- ### List Available Rekor Methods via gRPC Source: https://context7.com/sigstore/rekor-tiles/llms.txt Lists all available methods for the Rekor gRPC service. This command helps in understanding the API surface of the Rekor service. ```bash grpcurl -plaintext localhost:3001 list dev.sigstore.rekor.v2.Rekor ``` -------------------------------- ### Go Client: Write Client Source: https://context7.com/sigstore/rekor-tiles/llms.txt This Go client allows you to upload entries to the transparency log and retrieve the TransparencyLogEntry with its inclusion proof. It demonstrates how to set up the client, generate keys, sign an artifact, and add the entry. ```APIDOC ## Go Client: Write Client ### Description The write client uploads entries to the transparency log and returns the TransparencyLogEntry with inclusion proof. ### Method Go program using `github.com/sigstore/rekor-tiles/v2/pkg/client/write` ### Endpoint `http://localhost:3003` (configurable) ### Request Body Example ```go // Example of the request object structure request := &pb.HashedRekordRequestV002{ Digest: digest[:], Signature: &pb.Signature{ Content: sig, Verifier: &pb.Verifier{ Verifier: &pb.Verifier_PublicKey{ PublicKey: &pb.PublicKey{RawBytes: pubKeyBytes}, }, KeyDetails: v1.PublicKeyDetails_PKIX_ECDSA_P256_SHA_256, }, }, } ``` ### Response Example (Success Response - 200 OK) ```go // The returned TransparencyLogEntry contains details about the added entry. tle, err := writer.Add(ctx, request) log.Printf("Entry added at index: %d", tle.LogIndex) log.Printf("Log ID: %x", tle.LogId.KeyId) log.Printf("Kind: %s v%s", tle.KindVersion.Kind, tle.KindVersion.Version) ``` ### Code Snippet ```go package main import ( "context" "crypto/ecdsa" "crypto/elliptic" "crypto/rand" "crypto/sha256" "crypto/x509" "log" v1 "github.com/sigstore/protobuf-specs/gen/pb-go/common/v1" "github.com/sigstore/rekor-tiles/v2/pkg/client/write" pb "github.com/sigstore/rekor-tiles/v2/pkg/generated/protobuf" ) func main() { ctx := context.Background() // Create write client writer, err := write.NewWriter("http://localhost:3003") if err != nil { log.Fatal(err) } // Generate key pair privKey, _ := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) pubKeyBytes, _ := x509.MarshalPKIXPublicKey(privKey.Public()) // Create artifact digest and signature artifact := []byte("my-artifact-content") digest := sha256.Sum256(artifact) sig, _ := ecdsa.SignASN1(rand.Reader, privKey, digest[:]) // Build HashedRekord request request := &pb.HashedRekordRequestV002{ Digest: digest[:], Signature: &pb.Signature{ Content: sig, Verifier: &pb.Verifier{ Verifier: &pb.Verifier_PublicKey{ PublicKey: &pb.PublicKey{RawBytes: pubKeyBytes}, }, KeyDetails: v1.PublicKeyDetails_PKIX_ECDSA_P256_SHA_256, }, }, } // Add entry to log tle, err := writer.Add(ctx, request) if err != nil { log.Fatal(err) } log.Printf("Entry added at index: %d", tle.LogIndex) log.Printf("Log ID: %x", tle.LogId.KeyId) log.Printf("Kind: %s v%s", tle.KindVersion.Kind, tle.KindVersion.Version) } ``` ``` -------------------------------- ### Go Client: Read Client Source: https://context7.com/sigstore/rekor-tiles/llms.txt This Go client enables fetching checkpoints, tiles, and entry bundles from Rekor for verification and monitoring purposes. It shows how to load a public key, initialize the reader, and retrieve various log data. ```APIDOC ## Go Client: Read Client ### Description The read client fetches checkpoints, tiles, and entry bundles for verification and monitoring. ### Method Go program using `github.com/sigstore/rekor-tiles/v2/pkg/client/read` ### Endpoint `http://localhost:8000` (tile storage URL), `rekor-local` (log origin) ### Parameters #### Query Parameters - **tile storage URL** (string) - Required - The URL where tiles are stored. - **log origin** (string) - Required - The identifier for the log. - **verifier** (*signature.Verifier) - Required - The verifier used for checkpoint validation. ### Response Example (Success Response - 200 OK) ```go // Reading checkpoint checkpoint, note, err := reader.ReadCheckpoint(ctx) log.Printf("Tree size: %d", checkpoint.Size) log.Printf("Root hash: %x", checkpoint.Hash) // Reading tile tileData, err := reader.ReadTile(ctx, 0, 0, 0) log.Printf("Tile size: %d bytes", len(tileData)) // Reading entry bundle entryBundle, err := reader.ReadEntryBundle(ctx, 0, 0) log.Printf("Entry bundle: %s", string(entryBundle)) ``` ### Code Snippet ```go package main import ( "context" "log" "github.com/sigstore/rekor-tiles/v2/pkg/client/read" "github.com/sigstore/sigstore/pkg/signature" "go.step.sm/crypto/pemutil" ) func main() { ctx := context.Background() // Load log's public key for checkpoint verification pubKey, _ := pemutil.Read("path/to/log-public-key.pem") verifier, _ := signature.LoadDefaultVerifier(pubKey) // Create read client reader, err := read.NewReader( "http://localhost:8000", // tile storage URL "rekor-local", // log origin verifier, ) if err != nil { log.Fatal(err) } // Read current checkpoint checkpoint, note, err := reader.ReadCheckpoint(ctx) if err != nil { log.Fatal(err) } log.Printf("Tree size: %d", checkpoint.Size) log.Printf("Root hash: %x", checkpoint.Hash) // Read tile at level 0, index 0 (full tile) tileData, err := reader.ReadTile(ctx, 0, 0, 0) if err != nil { log.Fatal(err) } log.Printf("Tile size: %d bytes", len(tileData)) // Read entry bundle entryBundle, err := reader.ReadEntryBundle(ctx, 0, 0) if err != nil { log.Fatal(err) } log.Printf("Entry bundle: %s", string(entryBundle)) } ``` ``` -------------------------------- ### REST API: Get Checkpoint Source: https://context7.com/sigstore/rekor-tiles/llms.txt Retrieves the current signed checkpoint from the log. The checkpoint contains the tree size, root hash, and cryptographic signature following the C2SP checkpoint specification, enabling offline verification. ```APIDOC ## GET /api/v2/checkpoint ### Description Retrieves the current signed checkpoint from the log. The checkpoint contains the tree size, root hash, and cryptographic signature following the C2SP checkpoint specification, enabling offline verification. ### Method GET ### Endpoint /api/v2/checkpoint ### Parameters None ### Response #### Success Response (200) - **Checkpoint Data** (string) - A signed note in C2SP format containing tree information and signature. #### Response Example ``` rekor-local 1234 — rekor-local ``` ``` -------------------------------- ### Generate Key ID from Public Key using Go Playground Source: https://github.com/sigstore/rekor-tiles/blob/main/SHARDING.md Provides a link to a Go Playground script that can be used to generate a key ID from a given public key. This is useful if the log's checkpoint key ID is not readily available. ```go https://go.dev/play/p/oiE6LjeqLnj ``` -------------------------------- ### Go Client: Read Checkpoints, Tiles, and Entry Bundles Source: https://context7.com/sigstore/rekor-tiles/llms.txt Provides a Go client for fetching checkpoints, tiles, and entry bundles from the Rekor log, essential for verification and monitoring. It requires loading the log's public key for checkpoint verification. ```go package main import ( "context" "log" "github.com/sigstore/rekor-tiles/v2/pkg/client/read" "github.com/sigstore/sigstore/pkg/signature" "go.step.sm/crypto/pemutil" ) func main() { ctx := context.Background() // Load log's public key for checkpoint verification pubKey, _ := pemutil.Read("path/to/log-public-key.pem") verifier, _ := signature.LoadDefaultVerifier(pubKey) // Create read client reader, err := read.NewReader( "http://localhost:8000", // tile storage URL "rekor-local", // log origin verifier, ) if err != nil { log.Fatal(err) } // Read current checkpoint checkpoint, note, err := reader.ReadCheckpoint(ctx) if err != nil { log.Fatal(err) } log.Printf("Tree size: %d", checkpoint.Size) log.Printf("Root hash: %x", checkpoint.Hash) // Read tile at level 0, index 0 (full tile) tileData, err := reader.ReadTile(ctx, 0, 0, 0) if err != nil { log.Fatal(err) } log.Printf("Tile size: %d bytes", len(tileData)) // Read entry bundle entryBundle, err := reader.ReadEntryBundle(ctx, 0, 0) if err != nil { log.Fatal(err) } log.Printf("Entry bundle: %s", string(entryBundle)) } ``` -------------------------------- ### Get Checkpoint via REST API Source: https://context7.com/sigstore/rekor-tiles/llms.txt This snippet demonstrates how to retrieve the current signed checkpoint from the Rekor v2 log using the REST API. The checkpoint adheres to the C2SP specification and includes the tree size, root hash, and a cryptographic signature, enabling offline verification. ```bash # Get current checkpoint curl http://localhost:3003/api/v2/checkpoint # Response is a signed note in C2SP format: # rekor-local # 1234 # # # — rekor-local ``` -------------------------------- ### Run Rekor v2 Unit Tests Source: https://github.com/sigstore/rekor-tiles/blob/main/README.md Command to execute all unit tests for the Rekor v2 project using Go. This is part of the local development workflow for ensuring code quality. ```bash go test ./... ``` -------------------------------- ### Create and Push Git Tag for Release Source: https://github.com/sigstore/rekor-tiles/blob/main/RELEASE.md This snippet demonstrates how to create a signed git tag locally and push it to the upstream repository. This action triggers automated release and container build workflows. Ensure you have the latest changes from 'main' before tagging. ```shell git pull upstream main export RELEASE_TAG=v1.2.3 # Specify version git tag -s ${RELEASE_TAG} -m "${RELEASE_TAG}" git push upstream ${RELEASE_TAG} ``` -------------------------------- ### Run End-to-End Tests for POSIX Binary Source: https://github.com/sigstore/rekor-tiles/blob/main/tests/README.md Executes the end-to-end tests for the POSIX binary using Go. The `-v` flag enables verbose output, `-tags=e2e` selects tests with the 'e2e' tag, and `-run TestPOSIX` specifies the test function to run within the './tests/' directory. ```go go test -v -tags=e2e -run TestPOSIX ./tests/ ``` -------------------------------- ### Get Tile via REST API Source: https://context7.com/sigstore/rekor-tiles/llms.txt This snippet shows how to fetch Merkle tree tiles from Rekor v2 using the REST API. Tiles contain 256 hashes and are essential for constructing inclusion and consistency proofs. It covers retrieving full tiles and partial tiles, specifying level and index. ```bash # Get full tile at level 0, index 0 curl http://localhost:3003/api/v2/tile/0/x000/000 # Get partial tile (last tile with fewer than 256 entries) # Format: /api/v2/tile/{L}/x{NNN}/x{NNN}/{NNN}.p/{W} curl http://localhost:3003/api/v2/tile/0/x000/001.p/42 ``` -------------------------------- ### Create PKCS#12 Archive from TLS Certificate and Key Source: https://github.com/sigstore/rekor-tiles/blob/main/SHARDING.md Merges a generated TLS private key and certificate into a PKCS#12 archive. This format is often used for distributing or storing cryptographic objects, including private keys and certificates, in a single password-protected file. The archive is created without a password. ```bash openssl pkcs12 -passout "pass:" -export -certpbe PBE-SHA1-3DES -keypbe PBE-SHA1-3DES -macalg sha1 -out rekor-grpc.p12 -inkey rekor-grpc.key -in rekor-grpc.crt ``` -------------------------------- ### Rekor gRPC - Create HashedRekord Entry Source: https://context7.com/sigstore/rekor-tiles/llms.txt This section details how to create a HashedRekord entry in Rekor using the gRPC interface. It includes the command to list available methods and the command to create an entry with a digest and signature. ```APIDOC ## List Available Methods ### Description Lists the available methods for the Rekor gRPC service. ### Method `grpcurl` (gRPC client utility) ### Endpoint `localhost:3001` ### Command ```bash grpcurl -plaintext localhost:3001 list dev.sigstore.rekor.v2.Rekor ``` ## Rekor gRPC - Create HashedRekord Entry ### Description Creates a HashedRekord entry in the Rekor transparency log via gRPC. This requires the artifact's digest and signature, along with public key details. ### Method `grpcurl` (gRPC client utility) ### Endpoint `localhost:3001/dev.sigstore.rekor.v2.Rekor/CreateEntry` ### Request Body Example ```json { "hashed_rekord_request_v002": { "digest": "$(cat artifact_dgst | base64)", "signature": { "content": "$(cat artifact.sig | base64)", "verifier": { "key_details": "PKIX_ECDSA_P256_SHA_256", "public_key": { "raw_bytes": "$(openssl base64 -d -in ec_public.pem | base64)" } } } } } ``` ### Command ```bash grpcurl -plaintext localhost:3001 dev.sigstore.rekor.v2.Rekor.CreateEntry \ -d "{ \"hashed_rekord_request_v002\": { \"digest\": \"$(cat artifact_dgst | base64)\", \"signature\": { \"content\": \"$(cat artifact.sig | base64)\", \"verifier\": { \"key_details\": \"PKIX_ECDSA_P256_SHA_256\", \"public_key\": { \"raw_bytes\": \"$(openssl base64 -d -in ec_public.pem | base64)\" } } } } } }" ``` ``` -------------------------------- ### Run Rekor k6 Load Test Source: https://github.com/sigstore/rekor-tiles/blob/main/tests/loadtest/README.md Executes the k6 load test script for Rekor. Navigate to the 'tests/loadtest' directory before running this command. The script targets the Rekor write endpoint. ```bash k6 run k6_rekor_load_test.js ``` -------------------------------- ### Run End-to-End Tests for GCP Binary Source: https://github.com/sigstore/rekor-tiles/blob/main/tests/README.md Executes the end-to-end tests for the GCP binary using Go. The `-v` flag enables verbose output, `-tags=e2e` selects tests with the 'e2e' tag, and `-run TestGCP` specifies the test function to run within the './tests/' directory. ```go go test -v -tags=e2e -run TestGCP ./tests/ ``` -------------------------------- ### gRPC API: Rekor Service Methods Source: https://context7.com/sigstore/rekor-tiles/llms.txt The Rekor v2 gRPC API provides methods for interacting with the transparency log. It supports creating entries, retrieving tiles, entry bundles, and checkpoints using the `dev.sigstore.rekor.v2.Rekor` service. ```APIDOC ## gRPC API: dev.sigstore.rekor.v2.Rekor ### Description Provides gRPC methods for interacting with the Rekor v2 transparency log. Supports `CreateEntry`, `GetTile`, `GetEntryBundle`, and `GetCheckpoint` operations. ### Methods - **CreateEntry**: Creates a new log entry. - **GetTile**: Retrieves a Merkle tree tile. - **GetEntryBundle**: Retrieves a bundle of log entries. - **GetCheckpoint**: Retrieves the current signed checkpoint. ### Request Example (using grpcurl) ```bash # Install grpcurl brew install grpcurl # Example: Call CreateEntry (requires proto definitions) # grpcurl -plaintext localhost:3003 dev.sigstore.rekor.v2.Rekor/CreateEntry ``` ### Response Responses vary based on the method called, typically returning structured protobuf messages corresponding to log entries, tiles, or checkpoints. ``` -------------------------------- ### Go Client: Write HashedRekord Entry Source: https://context7.com/sigstore/rekor-tiles/llms.txt Implements a Go client to upload entries to the Rekor transparency log and retrieve the TransparencyLogEntry with its inclusion proof. It handles key generation, artifact signing, and constructing the HashedRekord request. ```go package main import ( "context" "crypto/ecdsa" "crypto/elliptic" "crypto/rand" "crypto/sha256" "crypto/x509" "log" v1 "github.com/sigstore/protobuf-specs/gen/pb-go/common/v1" "github.com/sigstore/rekor-tiles/v2/pkg/client/write" pb "github.com/sigstore/rekor-tiles/v2/pkg/generated/protobuf" ) func main() { ctx := context.Background() // Create write client writer, err := write.NewWriter("http://localhost:3003") if err != nil { log.Fatal(err) } // Generate key pair privKey, _ := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) pubKeyBytes, _ := x509.MarshalPKIXPublicKey(privKey.Public()) // Create artifact digest and signature artifact := []byte("my-artifact-content") digest := sha256.Sum256(artifact) sig, _ := ecdsa.SignASN1(rand.Reader, privKey, digest[:]) // Build HashedRekord request request := &pb.HashedRekordRequestV002{ Digest: digest[:], Signature: &pb.Signature{ Content: sig, Verifier: &pb.Verifier{ Verifier: &pb.Verifier_PublicKey{ PublicKey: &pb.PublicKey{RawBytes: pubKeyBytes}, }, KeyDetails: v1.PublicKeyDetails_PKIX_ECDSA_P256_SHA_256, }, }, } // Add entry to log tle, err := writer.Add(ctx, request) if err != nil { log.Fatal(err) } log.Printf("Entry added at index: %d", tle.LogIndex) log.Printf("Log ID: %x", tle.LogId.KeyId) log.Printf("Kind: %s v%s", tle.KindVersion.Kind, tle.KindVersion.Version) } ```