### Terraform Setup Source: https://github.com/sigstore/rekor/blob/main/scripts/performance/index-storage/README.md Use terraform to set up the services in GCP. ```bash cd terraform terraform init terraform plan terraform apply ``` -------------------------------- ### Squash Commits Example Source: https://github.com/sigstore/rekor/blob/main/CONTRIBUTORS.md Example of interactive rebase to squash commits. ```git git rebase -i HEAD~3 ``` -------------------------------- ### TUF Repository Structure Source: https://github.com/sigstore/rekor/blob/main/types.md Example output of the 'tree' command showing the structure of a TUF repository after initialization and commits. ```bash $ tree . . ├── keys │ ├── snapshot.json │ ├── targets.json │ └── timestamp.json ├── repository │ ├── root.json │ ├── snapshot.json │ ├── targets │ │ └── foo │ │ └── bar │ │ └── baz.txt │ ├── targets.json │ └── timestamp.json └── staged ``` -------------------------------- ### SSH Public Key Example Source: https://github.com/sigstore/rekor/blob/main/pkg/pki/ssh/README.md An example of an SSH public key in the 'known hosts' format. ```text ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDw0ZWP4zZLELSJVenQTQsrFJVBnoP64KTg/UWRU6qOb8HEOdtHJDOyTmo9dvN/yJoTFtWAfQEjaTsMVJzTD0gOk6ncTsp0BUtgXawSCfEUiv7v+2VgSVbUfAv/NL+HEGSCdcORnansIyrZaHwAjR3ei3O+pRWvgjRj3pOH1rWGrxaC5IbsELYzS/HvwAG/uwcxgBv4POvaq6eCEHVbqRjIYjjoYsC+c24sgSQxOyXvDS7j2z9TPHPvepDhVr9y6xnnqhLqZEWmidRrbb35aYkVLJxmGTFy/JW1cewyU2Jb3+sKQOiOwL7DAB39tRyec2ed+EHh6QLW4pcMnoXsWuPyi+G595HiUYmIlqXJ5JPo0Cv/rOJrmWSFceWiDjC/SeODp/AcK0EsN/p3wOp6ac7EzAz9Npri0vwSQX4MUYlya/olKiKCx5GIhTZtXioREPd8v4osx2VrVyDxKX99PVVbxw1FXSe4u+PuOawJzUA4vW41mxUY9zoAsb/fvoNPtrrT9HfC+7Pg6ryBdz+445M8Atc8YjjLeYXkTXWD6KMielRzBFFoIwIgi0bMotq3iQ9IwjQSXPMDQLb+UPg8xqsgRsX3wvyZzdBhxO4Bdomv7JYmySysaGgliHktU8qRse1lpDIXMovPtowywcKL4U3seDKrq7saVO0qdsLavy1o0w== lorenc.d@gmail.com ``` -------------------------------- ### Example Commit Message Source: https://github.com/sigstore/rekor/blob/main/CONTRIBUTORS.md An example of a well-formed Git commit message, including a summary, detailed explanation, and issue references. ```git Summarize changes in around 50 characters or less More detailed explanatory text, if necessary. Wrap it to about 72 characters or so. In some contexts, the first line is treated as the subject of the commit and the rest of the text as the body. The blank line separating the summary from the body is critical (unless you omit the body entirely); various tools like `log`, `shortlog` and `rebase` can get confused if you run the two together. Explain the problem that this commit is solving. Focus on why you are making this change as opposed to how (the code explains that). Are there side effects or other unintuitive consequences of this change? Here's the place to explain them. Further paragraphs come after blank lines. - Bullet points are okay, too - Typically a hyphen or asterisk is used for the bullet, preceded by a single space, with blank lines in between, but conventions vary here If you use an issue tracker, put references to them at the bottom, like this: Resolves: #123 See also: #456, #789 ``` -------------------------------- ### Get SSH Rekor Entry Source: https://github.com/sigstore/rekor/blob/main/types.md Retrieve a Rekor entry for an SSH signature. ```console $ rekor-cli get --uuid=0e81b4d9299e2609e45b5c453a4c0e7820ac74e02c4935a8b830d104632fd2d1 LogID: c0d23d6ad406973f9559f3ba2d1ca01f84147d8ffc5b8445c224f98b9591801d Index: 5896 IntegratedTime: 2021-07-14T01:45:06Z UUID: 0e81b4d9299e2609e45b5c453a4c0e7820ac74e02c4935a8b830d104632fd2d1 Body: { "RekordObj": { "data": { "hash": { "algorithm": "sha256", "value": "3d80236772ca7c5405e398a4d685e715859260a8733070b86de7322e233c68d2" } }, "signature": { "content": "LS0tLS1CRUdJTiBTU0ggU0lHTkFUVVJFLS0tLS0KVTFOSVUwbEhBQUFBQVFBQUFETUFBQUFMYzNOb0xXVmtNalUxTVRrQUFBQWdqNnhOWHFWdFJQb2JOaHg5TXNnbQp4Q2lYMlo3VFh5QXcyRHZpN0k1Nzdia0FBQUFFWm1sc1pRQUFBQUFBQUFBR2MyaGhOVEV5QUFBQVV3QUFBQXR6CmMyZ3RaV1F5TlRVeE9RQUFBRUM1N2xCUGtjWlF2K2RDOG1HMEd4ajZoeUVXOUtPZVVtN21WdFVicURSTDdramoKS1pTakYxaVFVcWVpUVQ4Z2ZKbGVyZVhhUmVMamZoR2FUN0llRENrRQotLS0tLUVORCBTU0ggU0lHTkFUVVJFLS0tLS0K", "format": "ssh", "publicKey": { "content": "c3NoLWVkMjU1MTkgQUFBQUMzTnphQzFsWkRJMU5URTVBQUFBSUkrc1RWNmxiVVQ2R3pZY2ZUTElKc1FvbDltZTAxOGdNTmc3NHV5T2UrMjUK" } } } } ``` -------------------------------- ### Get Minisign Rekor Entry Source: https://github.com/sigstore/rekor/blob/main/types.md Retrieve a Rekor entry for a minisign signature. ```console $ ./rekor-cli get --uuid=008bfbbaa8f473a0b17cba5f8078d2c08410bca55f01d2ec71860795ef823b36 LogID: c0d23d6ad406973f9559f3ba2d1ca01f84147d8ffc5b8445c224f98b9591801d Index: 5895 IntegratedTime: 2021-07-14T01:39:50Z UUID: 008bfbbaa8f473a0b17cba5f8078d2c08410bca55f01d2ec71860795ef823b36 Body: { "RekordObj": { "data": { "hash": { "algorithm": "sha256", "value": "3d80236772ca7c5405e398a4d685e715859260a8733070b86de7322e233c68d2" } }, "signature": { "content": "dW50cnVzdGVkIGNvbW1lbnQ6ClJXU3pRSTcrUzZNMGMrNUcxbVZzcmw2dmgvYi91VjlxclJySWpxd21abDFKYjZhTGJ2U1NWUzdObDNvUmpVTUdHUWpLVlEyd2JnMnJxNDZxdDdPTHE3L1c3Z2liMlo5Rzh3az0=", "format": "minisign", "publicKey": { "content": "akpGNDdCd05uYWw2MHZ5a0JteXMxK1IzS3F2Ulh1UDhjWnArbU4wcGxDWT0=" } } } } ``` -------------------------------- ### Get list of pull requests since last release Source: https://github.com/sigstore/rekor/blob/main/release/README.md Command to list pull requests merged since a specified date. ```shell git log --pretty="* %s" --after="YYYY-MM-DD" ``` -------------------------------- ### Get list of authors since last release Source: https://github.com/sigstore/rekor/blob/main/release/README.md Command to list unique authors of merged pull requests since a specified date. ```shell git log --pretty="* %an" --after="YYYY-MM-DD" | sort -u ``` -------------------------------- ### TUF Repository Initialization and Key Generation Source: https://github.com/sigstore/rekor/blob/main/types.md Commands to initialize a TUF repository and generate necessary keys using the go-tuf implementation. ```bash $ tuf init $ tuf gen-key root $ tuf gen-key targets $ tuf gen-key snapshot $ tuf gen-key timestamp $ tuf add path/to/some/target.txt $ tuf snapshot $ tuf timestamp $ tuf commit ``` -------------------------------- ### Minisign Keypair Generation Source: https://github.com/sigstore/rekor/blob/main/types.md Create a keypair with minisign. ```console $ minisign -G Please enter a password to protect the secret key. Password: Password (one more time): Deriving a key from the password in order to encrypt the secret key... done The secret key was saved as /Users/dlorenc/.minisign/minisign.key - Keep it secret! The public key was saved as minisign.pub - That one can be public. Files signed using this key pair can be verified with the following command: minisign -Vm -P RWSzQI7+S6M0c4yReOwcDZ2petL8pAZsrNfkdyqr0V7j/HGafpjdKZQm ``` -------------------------------- ### PKIX/X509 Keypair Generation and Signing Source: https://github.com/sigstore/rekor/blob/main/types.md Commands to generate an EC keypair using openssl, sign a file, and upload the artifact to Rekor. ```bash $ openssl ecparam -genkey -name prime256v1 > ec_private.pem $ openssl ec -in ec_private.pem -pubout > ec_public.pem read EC key writing EC key ``` ```bash $ openssl dgst -sha256 -sign ec_private.pem -out README.md.sig README.md ``` ```bash $ ./rekor-cli upload --artifact README.md --signature README.md.sig --pki-format=x509 --public-key=ec_public.pem Created entry at index 5897, available at: https://rekor.sigstore.dev/api/v1/log/entries/31a51c1bc20da83b66b2f24899184b85dbf8261c2de8571479165619ad87cd5d ``` ```bash $ rekor-cli get --uuid=31a51c1bc20da83b66b2f24899184b85dbf8261c2de8571479165619ad87cd5d LogID: c0d23d6ad406973f9559f3ba2d1ca01f84147d8ffc5b8445c224f98b9591801d Index: 5897 IntegratedTime: 2021-07-14T01:49:54Z UUID: 31a51c1bc20da83b66b2f24899184b85dbf8261c2de8571479165619ad87cd5d Body: { "RekordObj": { "data": { "hash": { "algorithm": "sha256", "value": "3d80236772ca7c5405e398a4d685e715859260a8733070b86de7322e233c68d2" } }, "signature": { "content": "MEUCICwZpVU/3fnWSZkejA8R2j/t5futtl5Co3CDj7k6J6PwAiEA75Cn2txgpg/KjsOitSKsydL3D6cQIf7NQJtsmvsRTRQ=", "format": "x509", "publicKey": { "content": "LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUZrd0V3WUhLb1pJemowQ0FRWUlLb1pJemowREFRY0RRZ0FFYzJKUkJZbS9OQVo5ZHhhUnNWV05mdTcxV3B5TAo2cGx4L1hsZnNVTlM2SmcrWEhEVmpsaVNBNHV2ZEQ4ZW5XdUhNdWQybS9WdEVQaDZYT0M3bjR0aCtnPT0KLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0tCg==" } } } } ``` -------------------------------- ### Generate Keypair Source: https://github.com/sigstore/rekor/blob/main/types.md Generates an EC keypair using openssl. ```bash $ openssl ecparam -genkey -name prime256v1 > ec_private.pem $ openssl ec -in ec_private.pem -pubout > ec_public.pem read EC key writing EC key ``` -------------------------------- ### View the entry Source: https://github.com/sigstore/rekor/blob/main/types.md Retrieves and displays an entry from Rekor using its UUID. ```bash $ rekor-cli get --uuid=31a51c1bc20da83b66b2f24899184b85dbf8261c2de8571479165619ad87cd5d LogID: b3e217db795022552080ed8b22596131c63f3aa198e83450f3dba9e686633641 Index: 12 IntegratedTime: 2021-11-17T21:59:49Z UUID: 31a51c1bc20da83b66b2f24899184b85dbf8261c2de8571479165619ad87cd5d Body: { "HashedRekordObj": { "data": { "hash": { "algorithm": "sha256", "value": "9249e5dfa2ede1c5bd89c49bf9beaf3e9afda2d961dea7cda7f639210179cd16" } }, "signature": { "content": "MEQCIG9s7GVWH67OkeXPQvM/XAcLW7N0xiFZWez95uR+GlXyAiBW+DPRaYvgtpQglQLtqujwb+xQBd8I70Vk/2vDB+G3uQ==", "publicKey": { "content": "LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUZrd0V3WUhLb1pJemowQ0FRWUlLb1pJemowREFRY0RRZ0FFR0JPTVdDanViVTVldkJ0OGcxWTZTR1ZoZ29OVwpjY2lrbHlpTEJQajQ5Um40WVFhTjRJS0xySi9nQlROU2tOREdQbHFvNHVjTVg3L21PZmlBNkVHS09BPT0KLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0tCg==" } } } } ``` -------------------------------- ### Sign the file Source: https://github.com/sigstore/rekor/blob/main/types.md Signs a file using the generated private key. ```bash $ openssl dgst -sha256 -sign ec_private.pem -out README.md.sig README.md ``` -------------------------------- ### RSA Key Generation and Signing Source: https://github.com/sigstore/rekor/blob/main/tests/client-algos-testdata/README.md Commands to generate RSA private and public keys, and then sign files using SHA256 and SHA512. ```bash openssl genrsa -out rsa_private.pem 2048 openssl rsa -in rsa_private.pem -pubout -out rsa_public.pem openssl dgst -sha256 -sign rsa_private.pem -out file1.rsa.sig file1 openssl dgst -sha512 -sign rsa_private.pem -out file2.rsa.sig file2 ``` -------------------------------- ### SSH Keypair Generation Source: https://github.com/sigstore/rekor/blob/main/types.md Generate an SSH keypair. ```console $ ssh-keygen -C test@rekor.dev -t ed25519 -f id_ed25519 Generating public/private ed25519 key pair. Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in id_ed25519. Your public key has been saved in id_ed25519.pub. The key fingerprint is: SHA256:73u0etmm2h7BehcLbjrwXqXe193k5R5Uz0Lnl83nTt4 test@rekor.dev The key's randomart image is: +--[ED25519 256]--+ | | | | | . o| | . . ==| | S + +oO| | .. o.=.==| | oo.B+o=B| | .oB=+o+X| | .BO=o.oE| +----[SHA256]-----+ ``` -------------------------------- ### Minisign File Signing Source: https://github.com/sigstore/rekor/blob/main/types.md Sign a file using minisign. ```console $ minisign -S -m README.md Password: Deriving a key from the password and decrypting the secret key... done ``` -------------------------------- ### Tag the repository for release Source: https://github.com/sigstore/rekor/blob/main/release/README.md Shell commands to set and push a release tag to the repository. ```shell export RELEASE_TAG= git tag -s ${RELEASE_TAG} -m "${RELEASE_TAG}" git push upstream ${RELEASE_TAG} ``` -------------------------------- ### Performance Test Script Execution Source: https://github.com/sigstore/rekor/blob/main/scripts/performance/index-storage/README.md Run this script from the bastion VM to perform performance tests. ```bash export INSERT_RUNS= # The number of inserts to perform and measure. This doesn't need to be terribly high. export SEARCH_ENTRIES= # The number of entries to upload to the database out of band to search against. This should be sufficiently high to represent a real database. export INDEX_BACKEND= # The index backend to test against export REGION= # The GCP region where the rekor services are deployed ./index-performance.sh ``` -------------------------------- ### Squash Instruction in Editor Source: https://github.com/sigstore/rekor/blob/main/CONTRIBUTORS.md How to mark commits for squashing in the interactive rebase editor. ```git pick eb36612 initial commit squash 9ac8968 second commit squash a760569 final commit ``` -------------------------------- ### ECDSA Key Generation and Signing Source: https://github.com/sigstore/rekor/blob/main/tests/client-algos-testdata/README.md Commands to generate ECDSA private and public keys, and then sign files using SHA256 and SHA512. ```bash openssl ecparam -name secp256k1 -genkey -noout -out ec_private.pem openssl ec -in ec_private.pem -pubout -out ec_public.pem openssl dgst -sha256 -sign ec_private.pem -out file1.ec.sig file1 openssl dgst -sha512 -sign ec_private.pem -out file2.ec.sig file2 ``` -------------------------------- ### Uploading TUF Manifest to Rekor Source: https://github.com/sigstore/rekor/blob/main/types.md Command to upload a TUF manifest (timestamp.json) to Rekor, using root.json as the public key. ```bash $ ./rekor-cli upload --artifact repository/timestamp.json --type tuf --public-key repository/root.json Created entry at index 0, available at: https://rekor.sigstore.dev/api/v1/log/entries/6ed8fa5e9f0aa31b6cdfd2cc6877692f5afba52edd7ff5774eebfb22228e8847 ``` -------------------------------- ### Upload to Rekor Source: https://github.com/sigstore/rekor/blob/main/types.md Uploads the signed file and associated information to Rekor using the rekor-cli. ```bash $ ./rekor-cli upload --type hashedrekord:0.0.1 --artifact-hash $(sha256sum README.md | awk '{print $1}') --signature README.md.sig --pki-format=x509 --public-key=ec_public.pem Created entry at index 12, available at: https://rekor.sigstore.dev/api/v1/log/entries/31a51c1bc20da83b66b2f24899184b85dbf8261c2de8571479165619ad87cd5d ``` -------------------------------- ### Upload Minisign Signature to Rekor Source: https://github.com/sigstore/rekor/blob/main/types.md Upload a minisign signed artifact to Rekor. ```console $ rekor-cli upload --artifact README.md --signature README.md.minisig --pki-format=minisign --public-key=minisign.pub Created entry at index 5895, available at: https://rekor.sigstore.dev/api/v1/log/entries/008bfbbaa8f473a0b17cba5f8078d2c08410bca55f01d2ec71860795ef823b36 ``` -------------------------------- ### SSH File Signing Source: https://github.com/sigstore/rekor/blob/main/types.md Sign a file using an SSH key. ```console $ ssh-keygen -Y sign -n file -f id_ed25519 README.md Enter passphrase: Signing file README.md Write signature to README.md.sig ``` -------------------------------- ### Viewing TUF Entry in Rekor Source: https://github.com/sigstore/rekor/blob/main/types.md Command to retrieve a TUF entry from Rekor using its UUID. ```bash $ rekor-cli get --uuid=31a51c1bc20da83b66b2f24899184b85dbf8261c2de8571479165619ad87cd5d LogID: 5c4ceffb024e0d0b50bb9e03bc308ce83a76353f1003f8e57a21c51f74cc1e0e Index: 0 IntegratedTime: 2021-08-13T19:17:33Z UUID: 6ed8fa5e9f0aa31b6cdfd2cc6877692f5afba52edd7ff5774eebfb22228e8847 Body: { "TufObj": { "manifest": { "expires": "2021-12-18 13:28:12.99008 -0600 CST", "signed": { "content": [...] }, "version": 1 }, "root": { "expires": "2021-12-18 13:28:12.99008 -0600 CST", "signed": { "content": [...] }, "version": 1 } } } ``` -------------------------------- ### ED25519 Key Generation Source: https://github.com/sigstore/rekor/blob/main/tests/client-algos-testdata/README.md Commands to generate ED25519 private and public keys. ```bash openssl genpkey -algorithm ed25519 -out ed25519_private.pem openssl pkey -in ed25519_private.pem -pubout -out ed25519_public.pem ``` -------------------------------- ### Upload SSH Signature to Rekor Source: https://github.com/sigstore/rekor/blob/main/types.md Upload an SSH signed artifact to Rekor. ```console $ rekor-cli upload --artifact README.md --signature README.md.sig --pki-format=ssh --public-key=id_ed25519.pub Created entry at index 5896, available at: https://rekor.sigstore.dev/api/v1/log/entries/0e81b4d9299e2609e45b5c453a4c0e7820ac74e02c4935a8b830d104632fd2d ``` -------------------------------- ### MessageWrapper Struct in Go Source: https://github.com/sigstore/rekor/blob/main/pkg/pki/ssh/README.md The Go struct definition for the message wrapper used before signing in SSH. ```go type MessageWrapper struct { Namespace string Reserved string HashAlgorithm string Hash string } ``` -------------------------------- ### WrappedSig Struct in Go Source: https://github.com/sigstore/rekor/blob/main/pkg/pki/ssh/README.md The Go struct definition for the signature wrapper used in SSH signatures. ```go type WrappedSig struct { MagicHeader [6]byte Version uint32 PublicKey string Namespace string Reserved string HashAlgorithm string Signature string } ``` -------------------------------- ### ED25519 Signature Source: https://github.com/sigstore/rekor/blob/main/tests/client-algos-testdata/README.md Command to sign a file using an ED25519 private key. ```bash openssl pkeyutl -sign -inkey ed25519_private.pem -rawin -in file1 -out file1.ed25519.sig ``` -------------------------------- ### Force Push Source: https://github.com/sigstore/rekor/blob/main/CONTRIBUTORS.md Command to force push changes after amending commits. ```git git push origin your-branch --force ``` -------------------------------- ### ED25519-PH Signature Source: https://github.com/sigstore/rekor/blob/main/tests/client-algos-testdata/README.md Command to sign a file using an ED25519-PH private key. ```bash openssl pkeyutl -sign -inkey ed25519_private.pem -rawin -in file1 -pkeyopt instance:ed25519ph -out file1.ed25519ph.sig ``` -------------------------------- ### Plotting Results Source: https://github.com/sigstore/rekor/blob/main/scripts/performance/index-storage/README.md Plot the results after running the performance tests. ```bash ./plot.sh ``` -------------------------------- ### Interactive Rebase Editor Content Source: https://github.com/sigstore/rekor/blob/main/CONTRIBUTORS.md Content shown in the text editor during an interactive rebase for squashing commits. ```git pick eb36612 initial commit pick 9ac8968 second commit pick a760569 final commit # Rebase eb1429f..a760569 onto eb1429f (3 commands) ``` -------------------------------- ### SSH Private Key Format Source: https://github.com/sigstore/rekor/blob/main/pkg/pki/ssh/README.md The format of SSH private keys, which are stored in an 'armored' PEM format. ```text -----BEGIN SSH PRIVATE KEY----- -----END SSH PRIVATE KEY----- ``` -------------------------------- ### Rekor Server Counter Update Source: https://github.com/sigstore/rekor/blob/main/pkg/generated/restapi/rekorHomePage.html JavaScript code to fetch and display the total number of items stored in the Rekor server, including active and inactive shards. It updates the count every 10 seconds. ```javascript const url = '/api/v1/log/'; function update() { fetch(url, {headers: {'Accept': 'application/json'}}).then((resp) => { resp.json().then((j) => { // Total across the active shard plus any inactive shards; otherwise // the page under-reports after a shard rotation. let count = Number(j.treeSize) || 0; if (Array.isArray(j.inactiveShards)) { for (const shard of j.inactiveShards) { count += Number(shard.treeSize) || 0; } } document.getElementById('count').innerText = count; }).catch(console.error); }).catch(console.error); } update(); // Update immediately on page load. setInterval(update, 10000); // Update the counter every 10 seconds. ``` -------------------------------- ### Amend Commit Message Source: https://github.com/sigstore/rekor/blob/main/CONTRIBUTORS.md Command to amend the commit message after squashing. ```git git commit --amend ``` === COMPLETE CONTENT === This response contains all available snippets from this library. No additional content exists. Do not make further requests.