Index | index by Group | index by Distribution | index by Vendor | index by creation date | index by Name | Mirrors | Help | Search |
Name: rekor | Distribution: SUSE Linux Enterprise 15 |
Version: 1.3.5 | Vendor: SUSE LLC <https://www.suse.com/> |
Release: 150400.4.19.1 | Build date: Tue Feb 6 15:36:30 2024 |
Group: Unspecified | Build host: h01-ch2d |
Size: 75189781 | Source RPM: rekor-1.3.5-150400.4.19.1.src.rpm |
Packager: https://www.suse.com/ | |
Url: https://github.com/sigstore/rekor | |
Summary: Supply Chain Transparency Log |
Rekor's goals are to provide an immutable tamper resistant ledger of metadata generated within a software projects supply chain. Rekor will enable software maintainers and build systems to record signed metadata to an immutable record. Other parties can then query said metadata to enable them to make informed decisions on trust and non-repudiation of an object's lifecycle. For more details visit the sigstore website The Rekor project provides a restful API based server for validation and a transparency log for storage. A CLI application is available to make and verify entries, query the transparency log for inclusion proof, integrity verification of the transparency log or retrieval of entries by either public key or artifact. Rekor fulfils the signature transparency role of sigstore's software signing infrastructure. However, Rekor can be run on its own and is designed to be extensible to working with different manifest schemas and PKI tooling.
Apache-2.0
* Mon Feb 05 2024 meissner@suse.com - update to 1.3.5 (jsc#SLE-23476): - Additional unique index correction - Remove timestamp from checkpoint - Drop conditional when verifying entry checkpoint - Fix panic for DSSE canonicalization - Change Redis value for locking mechanism - give log timestamps nanosecond precision - output trace in slog and override correlation header name - bumped embedded golang.org/x/crypto/ssh to fix the Terrapin attack CVE-2023-48795 (bsc#1218207) * Sun Jan 28 2024 dmueller@suse.com - update to 1.3.4: * add mysql indexstorage backend * add s3 storage for attestations * fix: Do not check for pubsub.topics.get on initialization * fix optional field in cose schema * Update ranges.go * update indexstorage interface to reduce roundtrips * use a single validator library in rekor-cli * Remove go-playground/validator dependency from pkg/pki * Fri Nov 24 2023 meissner@suse.com - updated to rekor 1.3.3 (jsc#SLE-23476): - Update signer flag description - update trillian to 1.5.3 - adds redis_auth - Add method to get artifact hash for an entry - make e2e tests more usable with docker-compose - install go at correct version for codeql - updated to rekor 1.3.2 (jsc#SLE-23476): - updated to rekor 1.3.1 (jsc#SLE-23476): New Features: - enable GCP cloud profiling on rekor-server (#1746) - move index storage into interface (#1741) - add info to readme to denote additional documentation sources (#1722) - Add type of ed25519 key for TUF (#1677) - Allow parsing base64-encoded TUF metadata and root content (#1671) Quality Enhancements: - disable quota in trillian in test harness (#1680) Bug Fixes: - Update contact for code of conduct (#1720) - Fix panic when parsing SSH SK pubkeys (#1712) - Correct index creation (#1708) - docs: fixzes a small typo on the readme (#1686) - chore: fix backfill-redis Makefile target (#1685) * Fri Sep 01 2023 meissner@suse.com - updated to rekor 1.3.0 (jsc#SLE-23476): - Update openapi.yaml (#1655) - pass transient errors through retrieveLogEntry (#1653) - return full entryID on HTTP 409 responses (#1650) - feat: Support publishing new log entries to Pub/Sub topics (#1580) - Change values of Identity.Raw, add fingerprints (#1628) - Extract all subjects from SANs for x509 verifier (#1632) - Fix type comment for Identity struct (#1619) - Refactor Identities API (#1611) - Refactor Verifiers to return multiple keys (#1601) - Update checkpoint link (#1597) - Use correct log index in inclusion proof (#1599) - remove instrumentation library (#1595) - updated to rekor 1.2.2 (jsc#SLE-23476): - pass down error with message instead of nil - swap killswitch for 'docker-compose restart' * Tue May 30 2023 meissner@suse.com - updated to rekor 1.2.1 (jsc#SLE-23476): Security fix: - CVE-2023-33199: Fixed that malformed proposed intoto v0.0.2 entries can cause a panic (bsc#1211790) Functional Enhancements - add client method to generate TLE struct (#1498) - add dsse type (#1487) - support other KMS providers (AWS, Azure, Hashicorp) in addition to GCP (#1488) - Add concurrency to backfill-redis (#1504) - omit informational message if machine-parseable output has been requested (#1486) - Publish stable checkpoint periodically to Redis (#1461) - Add intoto v0.0.2 to backfill script (#1500) - add new method to test insertability of proposed entries into log (#1410) Quality Enhancements - use t.Skip() in fuzzers (#1506) - improve fuzzing coverage (#1499) - Remove watcher script (#1484) Bug Fixes - Merge pull request from GHSA-frqx-jfcm-6jjr (CVE-2023-33199) - Remove requirement of PayloadHash for intoto 0.0.1 (#1490) - fix lint errors, bump linter up to 1.52 (#1485) - Remove dependencies from pkg/util (#1469) * Wed May 03 2023 meissner@suse.com - updated to rekor 1.1.1 (jsc#SLE-23476): Functional Enhancements - Refactor Trillian client with exported methods (#1454) - Switch to official redis-go client (#1459) - Remove replace in go.mod (#1444) - Add Rekor OID info. (#1390) Quality Enhancements - remove legacy encrypted cosign key (#1446) - swap cjson dependency (#1441) - Update release readme (#1456) Security fixes: - CVE-2023-30551: Fixed a potential denial of service (out of memory) when processing JAR META-INF files or .SIGN/.PKINFO files in APK files. (bsc#1211210 https://github.com/advisories/GHSA-2h5h-59f5-c5x9) * Wed Apr 05 2023 meissner@suse.com - updated to rekor 1.1.0 (jsc#SLE-23476): Functional Enhancements - improve validation on intoto v0.0.2 type (#1351) - add feature to limit HTTP request body length to process (#1334) - add information about the file size limit (#1313) - Add script to backfill Redis from Rekor (#1163) - Feature: add search support for sha512 (#1142) Quality Enhancements - various fuzzing fixes Bug Fixes - remove goroutine usage from SearchLogQuery (#1407) - drop log messages regarding attestation storage to debug (#1408) - fix validation for proposed vs committed log entries for intoto v0.0.1 (#1309) - fix: fix regex for multi-digit counts (#1321) - return NotFound if treesize is 0 rather than calling trillian (#1311) - enumerate slice to get sugared logs (#1312) - put a reasonable size limit on ssh key reader (#1288) - CLIENT: Fix Custom Host and Path Issue (#1306) - do not persist local state if log is empty; fail consistency proofs from 0 size (#1290) - correctly handle invalid or missing pki format (#1281) - Add Verifier to get public key/cert and identities for entry type (#1210) - fix goroutine leak in client; add insecure TLS option (#1238) - Fix - Remove the force-recreate flag (#1179) - trim whitespace around public keys before parsing (#1175) - stop inserting envelope hash for intoto:0.0.2 types into index (#1171) - Revert "remove double encoding of payload and signature fields for intoto (#1150)" (#1158) - remove double encoding of payload and signature fields for intoto (#1150) - fix SearchLogQuery behavior to conform to openapi spec (#1145) - Remove pem-certificate-chain from client (#1138) - fix flag type for operator in search (#1136) - use sigstore/community dep review (#1132) * Tue Nov 29 2022 meissner@suse.com - updated to rekor 1.0.1 (jsc#SLE-23476): - stop inserting envelope hash for intoto:0.0.2 types into index * Wed Oct 19 2022 meissner@suse.com - updated to rekor 1.0.0 (jsc#SLE-23476): - add description on /api/v1/index/retrieve endpoint by @bobcallaway in https://github.com/sigstore/rekor/pull/1073 - Adding e2e test coverage by @cdris in https://github.com/sigstore/rekor/pull/1071 - export rekor build/version information by @cpanato in https://github.com/sigstore/rekor/pull/1074 - Use POST instead of GET for /api/log/entries/retrieve metrics. by @var-sdk in https://github.com/sigstore/rekor/pull/1083 - Search through all shards when searching by hash by @priyawadhwa in https://github.com/sigstore/rekor/pull/1082 - verify: verify checkpoint's STH against the inclusion proof root hash by @asraa in https://github.com/sigstore/rekor/pull/1092 - add ability to enable/disable specific rekor API endpoints by @bobcallaway in https://github.com/sigstore/rekor/pull/1080 - enable configurable client retries with backoff in RekorClient by @bobcallaway in https://github.com/sigstore/rekor/pull/1096 - remove dead code around api-key and timestamp references by @bobcallaway in https://github.com/sigstore/rekor/pull/1098 - update swagger API version to 1.0.0 by @bobcallaway in https://github.com/sigstore/rekor/pull/1102 - remove unused RekorVersion API definition by @bobcallaway in https://github.com/sigstore/rekor/pull/1101 - install gocovmerge in hack/tools by @bobcallaway in https://github.com/sigstore/rekor/pull/1103 - add retry command line flag on rekor-cli by @bobcallaway in https://github.com/sigstore/rekor/pull/1097 - Add some info and debug logging to commonly used funcs by @priyawadhwa in https://github.com/sigstore/rekor/pull/1106 * Fri Sep 30 2022 meissner@suse.com - updated to rekor 0.12.2 (jsc#SLE-23476): - add description on /api/v1/index/retrieve endpoint - Adding e2e test coverage - export rekor build/version information - Use POST instead of GET for /api/log/entries/retrieve metrics. - Search through all shards when searching by hash * Tue Sep 27 2022 meissner@suse.com - updated to rekor 0.12.1 (jsc#SLE-23476): - ** Rekor ** v0.12.1 comes with a breaking change to rekor-cli v0.12.1. Users of rekor-cli MUST upgrade to the latest version The addition of the intotov2 created a breaking change for the rekor-cli - What's Changed - fix: fix harness tests with intoto v0.0.2 by @asraa in #1052 - feat: add file based signer and password by @asraa in #1049 - Adds new rekor metrics for latency and QPS. by @var-sdk in #1059 * Thu Sep 15 2022 meissner@suse.com - updated to rekor 0.12.0 (jsc#SLE-23476): - check supportedVersions list rather than directly reading from version map by @bobcallaway in #1003 - enable blocking specific pluggable type versions from being inserted into the log by @bobcallaway in #1004 - api.SearchLogQueryHandler thread safety by @cdris in #1006 - 'docker compose' to 'docker-compose' by @bobcallaway in #1009 - Intoto v0.0.2 by @pxp928 in #973 - Add bounds on number of elements in api/v1/log/entries/retrieve by @priyawadhwa in #1011 - Change Checkpoint origin to be "Hostname - Tree ID" by @haydentherapper in #1013 - feat: add verification functions by @asraa in #986 - Validate tree ID on calls to /api/v1/log/entries/retrieve by @priyawadhwa in #1017 - Include checkpoint (STH) in entry upload and retrieve responses by @haydentherapper in #1015 - fix: use entry uuid uniformly in return responses by @asraa in #1012 - remove /api/v1/version endpoint by @bobcallaway in #1022 - Fix rekor-cli backwards incompatibility & run harness tests against HEAD by @priyawadhwa in #1030 - Fix harness tests @ main by @priyawadhwa in #1038 - Fetch all tags in harness tests by @priyawadhwa in #1039 - fix retrieve endpoint response code and add testing by @asraa in #1043 - updated to rekor 0.11.0: - Add rekor harness tests by @priyawadhwa in #945 - Persist and check attestations across harness tests by @priyawadhwa in #952 - Add harness test for getting all entries by UUID and EntryID by @priyawadhwa in #957 - api: fix inclusion proof verification flake by @asraa in #956 - change default value for rekor_server.hostname to server's hostname by @bobcallaway in #963 - fix nil-pointer error when artifact-hash is passed without artifact by @dsa0x in #965 - Add prometheus summary to track metric latency by @priyawadhwa in #966 - compute payload and envelope hashes upon validating intoto proposed entries by @bobcallaway in #967 - update field documentation on publicKey for hashedrekord by @bobcallaway in #969 - Allow sharding config to be written in yaml or json by @priyawadhwa in #974 - fix incorrect schema id for cose type by @bobcallaway in #979 - fix: make rekor verify work with sharded uuids by @asraa in #970 - update builder and cosign images by @cpanato in #981 - remove trailing slash on directories by @bobcallaway in #984 - add support for intersection & union in search operations by @dsa0x in #968 - Update scorecard-action to v2:alpha by @azeemshaikh38 in #987 - updated to rekor 0.10.0: - reuse DSSE signature wrappers instead of a local copy by @bobcallaway in #912 - Updates on the release job/makefile cleanup by @cpanato in #914 - Return 404 if entry isn't found in log by @priyawadhwa in #915 - Update cosign image in validate-release job by @priyawadhwa in #931 - update go builder and cosign image by @cpanato in #934 - Drop application/yaml content type by @haydentherapper in #933 - Add rekor test harness to presubmit tests by @priyawadhwa in #921 - sparkles Enable Scorecard badge by @azeemshaikh38 in #941 - update go mod in hack/tools to go1.18 by @cpanato in #935 - add ldflags back by @cpanato in #944 * Wed Jul 27 2022 meissner@suse.com - updated to rekor 0.9.1 - feat: add subject URIs to index for x509 certificates by @asraa in #897 - fix: sql syntax in dbcreate script by @xens in #903 - Switch to go 1.18 and pin release-utils to v0.7.1 by @saschagrunert in #904 - Check inactive shards for UUID for /retrieve endpoint by @priyawadhwa in #905 - ensure log messages have requestID where possible by @bobcallaway in #907 - Remove unnecessary lookup of non-existent attestations from storage layer by @bobcallaway in #909 - Fix bug where /retrieve endpoint returns wrong logIndex across shards by @priyawadhwa in #908 - updated to rekor 0.9.0 - Add COSE support to Rekor by @kommendorkapten in #867 - Fix intoto index keys by @bobcallaway in #889 - Resolve virtual log index when calling /retrieve endpoint by @priyawadhwa in #894 - updated to rekor 0.8.2 - collect docker-compose logs if sharding tests fail, also trim IDs by @bobcallaway in #869 - ensure fallback logic executes if attestation key is empty when fetching attestation by @bobcallaway in #878 * Wed Jun 29 2022 meissner@suse.com - rekor-zypper-verify.sh: add a small script that verifies the on-system zypper repo cache against rekor transparency log. * Mon Jun 20 2022 meissner@suse.com - Updated to rekor 0.8.1 - Fix indexing bug for intoto attestations by @priyawadhwa in #870 - Allow an expired certificate chain to be uploaded and verified by @haydentherapper in #873 - Updated to rekor 0.8.0 - Update go-tuf and sigstore/sigstore to non-vulnerable go-tuf version. by @dhaus67 in #847 - Configure rekor server in e2e tests via env variable by @priyawadhwa in #850 - update cross-builder image to use go1.17.11 and dockerfile base image by @cpanato in #860 - update go.mod to go1.17 by @cpanato in #861 - Improve error message when using ED25519 with HashedRekord type by @haydentherapper in #862 - Allow retrieving entryIDs or UUIDs via /api/v1/log/entries/retrieve endpoint by @priyawadhwa in #859 - Print total tree size, including inactive shards in rekor-cli loginfo by @priyawadhwa in #864 - Updated to rekor 0.7.0 - remove URL fetch of keys/artifacts server-side by @bobcallaway in #735 - intoto: add index on materials digest of slsa provenance by @asraa in #793 - chore(deps): Included dependency review by @naveensrinivasan in #788 - Check if intoto hash is available before accessing it as an index key by @priyawadhwa in #800 - Move deprecated dependency: google/trillian/merkle to transparency-dev by @asraa in #807 - Retrieve shard tree length if it isn't provided in the config by @priyawadhwa in #810 - update release builder images to use go 1.17.10 and cosign image to 1.8.0 by @cpanato in #820 - update go to 1.17.10 in the dockerfile by @cpanato in #819 - Limit the number of certificates parsed in a chain by @haydentherapper in #823 - Breaking change: Remove timestamping authority by @haydentherapper in #813 - Add back owners for rfc3161 package type by @haydentherapper in #833 - all: remove dependency on deprecated github.com/pkg/errors by @zchee in #834 - name stored attestations by digest instead of UUID by @bobcallaway in #769 * Tue Apr 26 2022 meissner@suse.com - Updated to rekor 0.6.0 - attempting to fix codeowners file by @bobcallaway in #653 - Update the warning text for the GA release. by @dlorenc in #654 - Add docs about API stability and deprecation policy by @priyawadhwa in #661 - update cross-build and dockerfile to use go 1.17.7 by @cpanato in #666 - Move k8s objects out of the default namespace by @k4leung4 in #674 - add securityContext to deployment. by @k4leung4 in #678 - Add intoto type documentation by @jspeed-meyers in #679 - create namespace for rekor config in yaml. by @k4leung4 in #680 - Set rekor-cli User-Agent header on requests by @bobcallaway in #684 - update security process link by @bobcallaway in #685 - explicitly set permissions for github actions by @k4leung4 in #687 - Add documentation about Alpine type by @jspeed-meyers in #697 - Add code coverage to pull requests. by @k4leung4 in #676 - Consistent parenthesis use in Makefile by @k4leung4 in #700 - Use logRangesFlag in API, route reads based on TreeID by @lkatalin in #671 - Generate release yaml for non-CI builds. by @k4leung4 in #702 - Mirror signed release images from GCR to GHCR as part of release by @k4leung4 in #701 - build trillian container to existing release. by @k4leung4 in #715 - Make the loginfo command a bit more future/backwards proof. by @dlorenc in #718 - Switch to using the swag library for pointer manipulation. by @dlorenc in #719 - Change TreeID to be of type string instead of int64 by @priyawadhwa in #712 - Add sharding e2e test to Github Actions by @priyawadhwa in #714 - fix merge conflict by @priyawadhwa in #720 - Clearer logging for createAndInitTree by @priyawadhwa in #724 - Return virtual index when creating and getting a log entry by @priyawadhwa in #725 - Fix copy/paste mistake in repo name. by @k4leung4 in #730 - Use reusuable release workflow in sigstore/sigstore by @k4leung4 in #729 - Get log proofs by Tree ID by @priyawadhwa in #733 - Refactor rekor-cli loginfo by @priyawadhwa in #734 - Update loginfo API endpoint to return information about inactive shards by @priyawadhwa in #738 - Replace trillian_log_server.log_id_ranges flag with a config file by @priyawadhwa in #742 - fix build date format for version command by @cpanato in #745 - Require tlog_id when log_id_ranges is passed in by @lkatalin in #739 - Use active tree on server startup by @lkatalin in #727 - Specify public key for inactive shards in shard config by @priyawadhwa in #746 - Add support for providing certificate chain for X509 signature types by @haydentherapper in #747 - fix typo in filename by @bobcallaway in #758 - Update release jobs and trillian images by @cpanato in #756 - Add the SHA256 digest of the intoto payload into the rekor entry by @bobcallaway in #764 - Add index to hashed intoto envelope by @asraa in #761 - Fix link in types README by @eddiezane in #765 - set p.Block after parsing in helm provenance type by @bobcallaway in #759 - Fix search without sha prefix by @eddiezane in #767 - Add in configmap to release for sharding config by @priyawadhwa in #766 - Search inactive trees for GET by UUID requests by @lkatalin in #750 - Create EntryID for new artifacts and return EntryID to user by @lkatalin in #623 - Update cloudbuild to not fail when copy the images by @cpanato in #773 * Fri Apr 01 2022 meissner@suse.com - Updated to rekor 0.5.0 * Highlights - Add Rekor logo to README (#650) - update API calls to v5 (#591) - Refactor helm type to remove intermediate state. (#575) - Refactor the shard map parsing so we can pass it down into the API object. (#564) - Refactor the alpine type to reduce intermediate state. (#573) * Enhancements - Add logic to GET artifacts via old or new UUID (#587) - helpful error message for hashedrekord types (#605) - Set Accept header in dynamic counter requests (#594) - Add sharding package and update validators (#583) - rekor-cli: show the url in case of error (#581) - Enable parsing of incomplete minisign keys, to enable re-indexing. (#567) - Cleanups on the TUF pluggable type. (#563) - Refactor the RPM type to remove more intermediate state. (#566) - Do some cleanups of the jar type to remove intermediate state. (#561) * Others - update version comments since dependabot doesn't do it (#617) - Use workload identity provider instead of GitHub Secret for GCR access (#600) - add OSSF scorecard action (#599) - enable the sbom for rekor releases (#586) - Point to the official website (instead of a 404) (#580) - Add a Makefile target for the "ko apply" step. (#572) - types/README.md: Corrected documentation link (#568) * Thu Feb 03 2022 meissner@suse.com - enable server build too, as people might want to deploy rekor chain themselves. * Tue Jan 25 2022 bwiedemann@suse.com - Fix BUILD_DATE for reproducible build results (boo#1047218) * Thu Jan 06 2022 meissner@suse.com - updated to 0.4.0 Highlights - Adds hashed rekord type that can be used to upload signatures along with the hashed content signed (#501) * Wed Dec 08 2021 mrueckert@suse.de - prepare building of the serve part * Fri Nov 26 2021 mrueckert@suse.de - initial package
/usr/bin/rekor-cli /usr/bin/rekor-server /usr/bin/rekor-zypp-verify /usr/share/doc/packages/rekor /usr/share/doc/packages/rekor/CHANGELOG.md /usr/share/doc/packages/rekor/CODE_OF_CONDUCT.md /usr/share/doc/packages/rekor/CONTRIBUTORS.md /usr/share/doc/packages/rekor/DEPRECATIONS.md /usr/share/doc/packages/rekor/FEATURES.md /usr/share/doc/packages/rekor/MAINTAINERS.md /usr/share/doc/packages/rekor/OWNERS.md /usr/share/doc/packages/rekor/README.md /usr/share/doc/packages/rekor/oid-info.md /usr/share/doc/packages/rekor/types.md /usr/share/licenses/rekor /usr/share/licenses/rekor/LICENSE
Generated by rpm2html 1.8.1
Fabrice Bellet, Tue Jul 9 20:06:21 2024