No project description provided
Project description
Python Rekor Signed Artifact Verification Script
Overview
In software development, artifact signing is a method to help increase the security of the software by associating an artifact with the person who uploaded it.
Sigstore is a tool that simplifies the signing of artifacts by signing it and uploading the signature details to Rekor, an append-only log, so that other users are able to verify the integrity of the artifact.
This script contains functions for interacting with the Rekor logs, such as verifying the inclusion of an artifact in the logs.
Usage
Prior to using this script, an artifact is signed using a tool like cosign. For example:
cosign sign-blob <artifact> --bundle artifact.bundle
The generated .bundle file will contain details about the signing, such as
the log entry that was appended to Rekor as well as the log ID.
Once you have an artifact that has been signed, you can use this script to do the following:
Verify the inclusion of the artifact in Rekor
python main.py --inclusion <logIndex> --artifact <artifact>
Fetch the latest log entry in Rekor
python main.py -c
Verify the consistency of a log entry with the latest Rekor log entry
In order to perform consistency verification, you'll need the following details
of the log entry that you want to verify its consistency: treeId, treeSize,
and rootHash. You can query the Rekor API for your log entry to obtain these
details. Once obtained, the following command will perform the consistency
verification:
python main.py --consistency --tree-id <treeId> --tree-size <treeSize> --root-hash <rootHash>
Installation
This script contains a few dependencies that are required to be installed prior to usage. They can be installed by running:
pip install -r requirements.txt
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file rekor_verification-0.1.0.tar.gz.
File metadata
- Download URL: rekor_verification-0.1.0.tar.gz
- Upload date:
- Size: 7.9 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: poetry/2.2.1 CPython/3.13.1 Darwin/24.6.0
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
4b698ceed6d0956f1c10328f64887c5ec8292e67e0c4856cd199c4bbcea00895
|
|
| MD5 |
7c9638cd36ac9033a76087d0141c9a00
|
|
| BLAKE2b-256 |
c669734ede13044cfb8347252f2296f7262507673f8060e2e0110bc8c32ce8f9
|
File details
Details for the file rekor_verification-0.1.0-py3-none-any.whl.
File metadata
- Download URL: rekor_verification-0.1.0-py3-none-any.whl
- Upload date:
- Size: 9.4 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: poetry/2.2.1 CPython/3.13.1 Darwin/24.6.0
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
8599fa05bb363d898ed1d12c6f47c5f97a14576461bf8ac0a7d81ffb8e38c24e
|
|
| MD5 |
e9b44880e21e9650d0faec95869c8fb5
|
|
| BLAKE2b-256 |
a8b118851b8f40f9705650828d6d091ec533290136cd4a605d4e17e67e4d9e35
|
