How to use the command rekor-cli (with examples)
Rekor-cli is a command-line tool that allows users to interact with Rekor, which is an immutable tamper-resistant ledger of metadata generated within a software project’s supply chain. This tool provides functionalities such as uploading artifacts, retrieving information, and searching the Rekor index. In this article, we will explore each of these use cases with examples.
Use case 1: Upload an artifact to Rekor
Code:
rekor-cli upload --artifact path/to/file.ext --signature path/to/file.ext.sig --pki-format=x509 --public-key=path/to/key.pub
Motivation: Uploading artifacts to Rekor ensures that the metadata generated within a software project’s supply chain is securely stored and can be verified later. This is useful for maintaining an auditable trail of the artifacts and their corresponding signatures.
Explanation:
--artifact path/to/file.ext
: Specifies the path to the artifact file to be uploaded.--signature path/to/file.ext.sig
: Specifies the path to the signature file associated with the artifact.--pki-format=x509
: Specifies the Public Key Infrastructure (PKI) format for the signature.--public-key=path/to/key.pub
: Specifies the path to the public key file used to verify the signature.
Example Output: The command will upload the specified artifact file along with its signature to Rekor.
Use case 2: Get information regarding entries in the Transparency Log
Code:
rekor-cli get --uuid=0e81b4d9299e2609e45b5c453a4c0e7820ac74e02c4935a8b830d104632fd2d1
Motivation: Getting information about entries in the Transparency Log allows users to retrieve specific metadata related to an artifact. This can be useful in verifying the integrity and authenticity of the artifact during the software supply chain.
Explanation:
--uuid=0e81b4d9299e2609e45b5c453a4c0e7820ac74e02c4935a8b830d104632fd2d1
: Specifies the UUID (Universally Unique Identifier) of the entry in the Transparency Log for which information is required.
Example Output: The command will fetch the information related to the specified entry’s UUID in the Transparency Log.
Use case 3: Search the Rekor index to find entries by Artifact
Code:
rekor-cli search --artifact path/to/file.ext
Motivation: Searching the Rekor index for entries by artifact allows users to retrieve all the metadata related to a particular artifact. This is helpful when trying to gather information about the provenance and chain of custody of an artifact within the software supply chain.
Explanation:
--artifact path/to/file.ext
: Specifies the path to the artifact file for which entries are to be searched in the Rekor index.
Example Output: The command will return a list of entries in the Rekor index that are associated with the specified artifact.
Use case 4: Search the Rekor index to find entries by a specific hash
Code:
rekor-cli search --sha 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
Motivation: Searching the Rekor index for entries by a specific hash enables users to locate all the metadata related to an artifact based on its hash value. This can help in verifying the authenticity and integrity of the artifact during the software supply chain.
Explanation:
--sha 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
: Specifies the SHA (Secure Hash Algorithm) value of the artifact for which entries are to be searched in the Rekor index.
Example Output: The command will return a list of entries in the Rekor index that have the specified hash value associated with them.
Conclusion:
Rekor-cli is a powerful command-line tool for interacting with Rekor, providing functionalities to upload artifacts, retrieve information about entries, and search the Rekor index. By utilizing these features, users can ensure the integrity, authenticity, and provenance of artifacts within their software supply chain.