How to Utilize the 'rekor-cli' Command (with Examples)

How to Utilize the 'rekor-cli' Command (with Examples)

Rekor is an integral part of the Sigstore project; it’s designed to provide a tamper-resistant and immutable ledger of metadata vital for a software project’s supply chain. By utilizing the ‘rekor-cli’ command-line tool, developers and security professionals can interact with Rekor to ensure the authenticity and integrity of artifacts, improving the security posture of their software supply chains. This becomes increasingly important in environments where maintaining the integrity of software components is crucial. Below, we will explore four fundamental use cases of ‘rekor-cli’, demonstrating how it can be employed to achieve different objectives.

Use case 1: Upload an Artifact to Rekor

Code:

rekor-cli upload --artifact path/to/file.ext --signature path/to/file.ext.sig --pki-format=x509 --public-key=path/to/key.pub

Motivation:

Uploading an artifact to Rekor is essential when you want to ensure that the metadata associated with a software component is preserved in a tamper-evident log. This practice is a cornerstone of supply chain security, facilitating easier auditing and verification of software components in the future. By doing so, you create a reliable source of truth for the artifact, which can be referred back to check its authenticity and integrity.

Explanation:

  • upload: This sub-command is used to add a new entry to the Rekor log, which encapsulates the metadata and signature of an artifact.
  • --artifact path/to/file.ext: Specifies the file path of the artifact you intend to log. It’s crucial to provide the correct path to ensure the exact file details are recorded.
  • --signature path/to/file.ext.sig: Points to the location of the signature file for the artifact. This signature is used to verify the authenticity of the artifact.
  • --pki-format=x509: Indicates the Public Key Infrastructure (PKI) format of the certificate provided. In this case, x509, which is a standard for a public key certificate format.
  • --public-key=path/to/key.pub: Provides the path to the public key file that corresponds with the private key used to generate the signature. It’s necessary for verifying the artifact’s signature.

Example Output:

Created entry at index 12345678 in the Rekor log at https://rekor.sigstore.dev

Use case 2: Get Information Regarding Entries in the Transparency Log

Code:

rekor-cli get --uuid=0e81b4d9299e2609e45b5c453a4c0e7820ac74e02c4935a8b830d104632fd2d1

Motivation:

Retrieving information about a specific entry helps in auditing and verifying specific artifacts that have been previously logged. It allows developers and security personnel to trace back and inspect the metadata, ensuring that the logged data has not been tampered with. This is a core aspect of maintaining transparency and trust in software distribution channels.

Explanation:

  • get: This sub-command is used to obtain information about a specific entry within the Rekor log.
  • --uuid=0e81b4d9299e2609e45b5c453a4c0e7820ac74e02c4935a8b830d104632fd2d1: A unique identifier for the log entry of interest. The UUID is a unique reference that allows individual entries to be retrieved in the log.

Example Output:

{
  "body": "...",
  "integratedTime": 1635809862,
  "logIndex": 12345678,
  "logID": "some-log-id",
  ...
}

Use case 3: Search the Rekor Index to Find Entries by Artifact

Code:

rekor-cli search --artifact path/to/file.ext

Motivation:

Searching for entries by artifact is particularly useful when an organization needs to audit or revisit all related metadata and entries about a specific software component. This enables anyone who relies on a particular artifact to confirm its validity and trace its usage across different systems and projects.

Explanation:

  • search: This sub-command triggers a search in the Rekor database to find specific log entries.
  • --artifact path/to/file.ext: Denotes the path to the artifact in question, instructing Rekor to search its logs for entries associated with the specified artifact.

Example Output:

Found entry with UUID: 0e81b4d9299e2609e45b5c453a4c0e7820ac74e02c4935a8b830d104632fd2d1

Use case 4: Search the Rekor Index to Find Entries by a Specific Hash

Code:

rekor-cli search --sha 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

Motivation:

Hash-based searching is a powerful technique to quickly identify and verify artifacts, given that hashes are unique representations of data. If you know the hash of a file, searching logs by this hash can corroborate its authenticity across various stages of the supply chain process.

Explanation:

  • search: Initiates a search in the Rekor logs.
  • --sha 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b: The SHA-256 hash corresponding to the artifact you’re interested in. This is utilized as a unique fingerprint for rapid identification of the associated entries.

Example Output:

Found entry with UUID: 0e81b4d9299e2609e45b5c453a4c0e7820ac74e02c4935a8b830d104632fd2d1

Conclusion

The ‘rekor-cli’ command-line utility offers users robust methods for maintaining transparency and verifiability within software supply chains. By uploading artifacts, retrieving detailed logs, and conducting searches using artifacts or their hashes, organizations bolster their software security by ensuring that critical metadata remains immutable and accessible for auditing. This plays a vital role in fostering trust and security in complex software ecosystems.

Related Posts

Understanding 'git count-objects' (with examples)

Understanding 'git count-objects' (with examples)

Git is a distributed version control system renowned for its flexibility and robust functionality.

Read More
How to Use the Command 'idevicepair' (with Examples)

How to Use the Command 'idevicepair' (with Examples)

The idevicepair command is an essential tool when working with iOS devices and managing their pairings with a host computer.

Read More
How to Use the Command 'btm' (with examples)

How to Use the Command 'btm' (with examples)

The ‘btm’ command, short for “bottom,” is an advanced system monitoring tool that serves as an alternative to the classic ’top’ command.

Read More