Open andrew-m-leonard opened 2 weeks ago
Sign as x509 and Upload:
# Create keys
openssl ecparam -genkey -name prime256v1 > ec_private.pem
openssl ec -in ec_private.pem -pubout > ec_public.pem
# Sign
openssl dgst -sha256 -sign ec_private.pem -out TestArtifact.txt.sig TestArtifact.txt
# Upload to Rekor
rekor-cli upload --rekor_server http://127.0.0.1:3000 --artifact TestArtifact.txt --signature TestArtifact.txt.sig --pki-format=x509 --public-key=ec_public.pem
Retrieve:
rekor-cli get --rekor_server http://127.0.0.1:3000 --uuid=<uuid>
Verify:
# Get public key from Rekor entry
rekor-cli get --rekor_server http://127.0.0.1:3000 --uuid=<uuid> --format json | jq -r '.Body .RekordObj .signature .publicKey .content' | base64 -d > retrieve.publicKey
# Get signature from Rekor entry
rekor-cli get --rekor_server http://127.0.0.1:3000 --uuid=<uuid> --format json | jq -r '.Body .RekordObj .signature .content' | base64 -d > retrieve.signature
# Verify
openssl dgst -sha256 -verify retrieve.publicKey -signature retrieve.signature TestArtifact.txt
==> Verified OK
Some notes:
Summary:
Install Rekor server and cli: https://docs.sigstore.dev/logging/installation/
Sign and Upload to Rekor-server: https://docs.sigstore.dev/logging/sign-upload/#pkixx509
Verifying Rekor entry: https://docs.sigstore.dev/logging/verify-release/#verify-the-entry-is-in-the-transparency-log